Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.
The list of vulnerabilities is below –
- CVE-2022-1471 (CVSS score: 9.8) – Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
- CVE-2023-22522 (CVSS score: 9.0) – Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0)
- CVE-2023-22523 (CVSS score: 9.8) – Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server)
- CVE-2023-22524 (CVSS score: 9.6) – Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0)
The Assets Discovery flaw allows an attacker to perform privileged remote code execution on machines with the Assets Discovery agent installed, whereas CVE-2023-22524 could permit an attacker to achieve code execution by utilizing WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections.
The advisory comes nearly a month after the Australian software company revealed all versions of its Bamboo Data Center and Server products are impacted by an actively exploited critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). Fixes have been released in versions 9.2.7, 9.3.5, and 9.4.1 or later.
Source: https://thehackernews.com/