Atlassian fixes four critical RCE vulnerabilities, patch quickly!
Atlassian has released security updates for four critical vulnerabilities (CVE-2023-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523) in its various offerings that could be exploited to execute arbitrary code.
About the vulnerabilities
CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java that can lead to remote code execution (RCE).
It affects Automation for Jira app (including Server Lite edition), Bitbucket Data Center, Bitbucket Server, Confluence Data Center, Confluence Server, Confluence Cloud, Migration App, Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server, Jira Software Data Center and Jira Software Server.
The other three vulnerabilities also allow RCE and affect the following products:
- CVE-2023-22522 – Confluence Data Center and Server
- CVE-2023-22524 – Confluence Data Center, Server, and Cloud
- CVE-2023-22523 – Jira Service Management Cloud, Data Center, and Server
The company does not say whether the vulnerabilities have been exploited in the wild, but recommends that users upgrade to the fixed versions as soon as possible.
Temporary mitigations for CVE-2023-22522, CVE-2023-22524 and CVE-2023-22523 are available for users who can’t patch immediately.
Recently exploited Atlassian vulnerabilities
Atlassian recently patched two vulnerabilities in Confluence Data Center and Server that had been exploited by attackers: a zero-day (CVE-2023-22515) that stemmed from broken access control, and CVE-2023-22518, a vulnerability that allowed attackers to reset the database of vulnerable instances and create a Confluence instance administrator account.