Atlassian Patches Critical Bamboo Server & Other 24 Flaws

by Esmeralda McKenzie
Atlassian Patches Critical Bamboo Server & Other 24 Flaws

Atlassian Patches Critical Bamboo Server & Other 24 Flaws

Atlassian Patches Serious Bamboo Server & Diverse 24 Flaws

A indispensable Bamboo Records Center and Server vulnerability has been found with a indispensable vulnerability which has been given CVE-2024-1597 and the severity used to be given as 10.0 (Serious).

This particular vulnerability used to be specifically mentioned by Atlassian that it’s a non-atlassian Bamboo dependency.

EHA

“Atlassian’s application of the dependency offers a decrease assessed chance, which is why we’re disclosing this vulnerability in our monthly Security Bulletin rather than a Serious Security Advisory. ” reads the security bulletin from Atlassian.

Alongside of this, there had been 24 plenty of vulnerabilities that had been fastened by Atlassian in plenty of plenty of products just like Bitbucket Records heart and server, Confluence records heart and server and Jira Instrument Records heart and server.

Doc

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no person as security teams need to triage 100s of vulnerabilities. :

  • The topic of vulnerability fatigue nowadays
  • Distinction between CVSS-relate vulnerability vs chance-primarily primarily based mostly vulnerability
  • Evaluating vulnerabilities in step with the exchange impression/chance
  • Automation to decrease alert fatigue and pork up security posture vastly

AcuRisQ, that helps you to quantify chance accurately:

The fastened vulnerabilities had been associated to plenty of flaws collectively with Denial of Provider, Path Traversal, Distant Code execution and Server-side Quiz of Forgery.

Atlassian Patches 24 Flaws

In step with the experiences shared with Cyber Security Records, the indispensable vulnerability within the Bamboo Records Center and Server used to be associated with SQLi (SQL injection) within the org.postgresql:postgresql dependency.

This vulnerability can even allow a chance actor to speak sources within the inclined ambiance with none client interplay.

Alternatively, Atlassian has claimed that this used to be an “unexploitable Serious severity vulnerability” which is classed with low chance to Atlassian.

This particular vulnerability exists in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Records Center and Server.

Affected versions Mounted versions
from 9.5.0 to 9.5.1 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest
from 9.4.0 to 9.4.3 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4
from 9.3.0 to 9.3.6 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4
from 9.2.0 to 9.2.11 (LTS) 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4 or 9.2.12 (LTS)
from 9.1.0 to 9.1.3 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4 or 9.2.12 (LTS)
from 9.0.0 to 9.0.4 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4 or 9.2.12 (LTS)
from 8.2.0 to eight.2.9 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4 or 9.2.12 (LTS)
Any earlier versions 9.6.0 (LTS) immediate Records Center Simplest or 9.5.2 Records Center Simplest or 9.4.4 or 9.2.12 (LTS)

Moreover this, there used to be one more excessive severity vulnerability addressed by Atlassian which used to be associated with Denial of service on the Bamboo Records Center and Server.

This DoS vulnerability exists within the software program.amazon.ion:ion-java and the CVE has been assigned with CVE-2024-21634 with severity as 7.8 (Excessive).

Further records on the security bulletin by Atlassian said about Bitbucket Records heart whereby one more Denial of service vulnerability used to be patched that had the same DoS CVE of Bamboo Records Center and Server vulnerability.

Alternatively, the Confluence Records Center and Server product had a Path Traversal and a Denial of Provider vulnerabilities that had been fastened as portion of this security bulletin.

The CVEs for these vulnerabilities got as CVE-2024-21677 (8.3 – Excessive) and CVE-2023-36478 (7.5 – Excessive).

The Jira Instrument Records Center and Server used to be one the products that had with regards to twenty vulnerabilities fastened. Amongst these vulnerabilities with regards to, there had been

  • 3 Distant Code Execution vulnerabilities (CVE-2022-42890, CVE-2022-41704, CVE-2022-34169)
  • 1 Server-side Quiz of Forgery vulnerability (CVE-2022-40146) and
  • 17 Denial of Provider vulnerabilities.
    • CVE-2022-40150
    • CVE-2023-34455
    • CVE-2023-1436
    • CVE-2022-45685
    • CVE-2022-29546
    • CVE-2022-40149
    • CVE-2023-39410
    • CVE-2023-34454
    • CVE-2023-34453
    • CVE-2023-43642
    • CVE-2022-3509
    • CVE-2022-3171
    • CVE-2023-5072
    • CVE-2022-45688
    • CVE-2022-24839
    • CVE-2022-28366

Furthermore, the fastened versions and plenty of records is also content within the security bulletin from Atlassian.

Quit updated on Cybersecurity records, Whitepapers, and Infographics. Put collectively us on LinkedIn & Twitter.

Source credit : cybersecuritynews.com

Related Posts