Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction.
Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.
Described as an SQL injection flaw, it’s rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “presents a lower assessed risk” despite the criticality.
According to a description of the flaw in the NIST’s National Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE.” The driver versions prior to the ones listed below are impacted –
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9, and
- 42.2.28 (also fixed in 42.2.28.jre7)
“There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.”
The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server –
- 8.2.1
- 9.0.0
- 9.1.0
- 9.2.1
- 9.3.0
- 9.4.0, and
- 9.5.0
SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.
Source: https://thehackernews.com/