Atlassian announced the release of updates to address multiple high-severity vulnerabilities in Confluence, Crucible, and Jira. The updates fix six security defects in Confluence Data Center and Server, including a critical broken access control issue in the Spring Framework (CVE-2024-22257) and three server-side request forgery (SSRF) vulnerabilities (CVE-2024-22243, CVE-2024-22262, CVE-2024-22259). Additionally, patches were provided for two out-of-bounds write bugs in Apache Commons Configuration, preventing potential denial-of-service (DoS) conditions.
The Crucible update addresses a deserialization of untrusted data vulnerability in the com.google.code.gson
package, which could be exploited by unauthenticated attackers to cause a DoS condition. This issue impacts Crucible version 4.8.0 and below, with fixes applied in versions 4.8.15 and higher. Jira Data Center and Server, along with Jira Service Management Data Center and Server, also received updates to patch an information disclosure vulnerability (CVE-2024-21685) that could be exploited without authentication.
Atlassian’s comprehensive updates ensure that vulnerabilities across their platforms are addressed, enhancing the security posture of their software products. The latest versions of Confluence, Crucible, and Jira now include these critical patches, with specific versions detailed in their June 2024 Security Bulletin. Notably, there have been no reports of these vulnerabilities being exploited in the wild.
These proactive measures by Atlassian demonstrate their commitment to maintaining secure and robust software solutions for their users. By addressing these high-severity vulnerabilities promptly, Atlassian mitigates potential security risks and safeguards the integrity of their systems. Users are encouraged to update to the latest versions to benefit from these essential security improvements.
Reference:
