TLDR:
- Atlassian has patched a critical vulnerability in Bamboo Data Center and Server, along with 24 other flaws in products like Bitbucket, Confluence, and Jira Software.
- The vulnerabilities ranged from SQL injection to Denial of Service, Remote Code Execution, and Server-side Request Forgery.
In a recent security bulletin, Atlassian announced the discovery and patching of a critical vulnerability in Bamboo Data Center and Server, identified as CVE-2024-1597 with a severity rating of 10.0 (Critical). This vulnerability was related to SQL injection in a non-Atlassian dependency and could potentially expose assets without user interaction. Additionally, Atlassian fixed 24 other vulnerabilities in products like Bitbucket, Confluence, and Jira Software, addressing issues like Denial of Service, Path Traversal, Remote Code Execution, and Server-side Request Forgery.
Among the fixed vulnerabilities, another high severity issue on Bamboo Data Center and Server was a Denial of Service vulnerability associated with the software.amazon.ion:ion-java dependency, given the CVE number CVE-2024-21634 with a severity rating of 7.8 (High). The security bulletin also highlighted similar vulnerabilities in other Atlassian products, such as Bitbucket and Confluence, with different CVE numbers and severity ratings.
In the case of Jira Software Data Center and Server, Atlassian addressed nearly 20 vulnerabilities, including three Remote Code Execution vulnerabilities, one Server-side Request Forgery vulnerability, and 17 Denial of Service vulnerabilities. The security bulletin provides detailed information on the fixed versions for each product and the associated CVEs for the vulnerabilities identified.
Overall, Atlassian’s proactive approach to identifying and patching critical vulnerabilities in its products highlights the importance of regular software updates and patches to ensure the security and integrity of enterprise systems.