Atlassian has released critical software fixes addressing four vulnerabilities, including a high-severity deserialization flaw (CVE-2022-1471) in the SnakeYAML library, with a CVSS score of 9.8. Another significant vulnerability (CVE-2023-22522) is described as a template injection flaw in Confluence, enabling authenticated attackers, including those with anonymous access, to inject unsafe input and achieve code execution. The third flaw (CVE-2023-22523) affects Assets Discovery for Jira Service Management, allowing remote code execution on machines with the agent installed. The fourth vulnerability (CVE-2023-22524) impacts the Atlassian Companion app for macOS, permitting code execution via WebSockets to bypass blocklists and macOS Gatekeeper protections.
The advisory from Atlassian emphasizes the critical nature of these vulnerabilities, highlighting specific risks associated with each. For instance, the template injection flaw in Confluence poses a significant threat by enabling attackers to inject unsafe input into Confluence pages, potentially leading to code execution. The Assets Discovery flaw allows attackers to perform privileged remote code execution on machines with the agent installed. Additionally, the vulnerability in the Atlassian Companion app for macOS could be exploited to achieve code execution by circumventing blocklists and macOS Gatekeeper protections using WebSockets.
This release follows Atlassian’s recent disclosure of an actively exploited security flaw in Apache ActiveMQ, impacting its Bamboo Data Center and Server products. The company has provided fixes for this flaw in versions 9.2.7, 9.3.5, and 9.4.1 or later. Given the increasing targeting of Atlassian products in cyberattacks, users are strongly advised to promptly update their installations to the patched versions to mitigate these security risks.
Referral link:
