EXECUTIVE SUMMARY
Atlassian's latest security bulletin addressed high-severity vulnerabilities in Jira, Crucible, and Confluence. The most critical issue involved incorrect authorization. Additionally, an update for Confluence Data Center and Server, which depends on org.springframework.security, resolved SSRF (Server-Side Request Forgery) and DoS vulnerabilities.
- CVE-2024-22257: CVE-2024-22257 affects Atlassian Confluence Data Centre and Confluence Server versions 1.0.1 through 8.9.1, 8.5.9, and 7.19.22. It is categorized as an "Improper Authorization" vulnerability with a CVSS score of 8.2. This issue stems from inadequate access control mechanisms, potentially allowing attackers to perform unauthorized actions.
- CVE-2024-22243: CVE-2024-22243 impacts Atlassian Confluence Data Centre and Confluence Server versions 1.0.1 through 8.9.0, 8.5.9, and 7.19.23. It is classified as a "Server-Side Request Forgery (SSRF)" vulnerability with a CVSS score of 8.1. This vulnerability could be exploited remotely without user interaction, potentially leading to unauthorized access to internal systems and services.
- CVE-2024-22262: CVE-2024-22262 affects Atlassian Confluence Data Centre and Confluence Server versions 1.0.1 through 8.9.3, 8.5.11, and 7.19.24. Like CVE-2024-22243, it is a "Server-Side Request Forgery (SSRF)" vulnerability with a CVSS score of 8.1. Exploitation could allow attackers to manipulate requests from the server, potentially accessing sensitive data or internal services.
- CVE-2024-22259: CVE-2024-22259, impacting Atlassian Confluence Data Centre and Confluence Server versions 1.0.1 through 8.9.1, 8.5.9, and 7.19.23, is another "Server-Side Request Forgery (SSRF)" vulnerability with a CVSS score of 8.1. It shares similarities with CVE-2024-22243 and CVE-2024-22262, enabling attackers to send crafted requests from the server to other internal or external systems.
- CVE-2024-29133: CVE-2024-29133 affects Atlassian Confluence Data Centre and Confluence Server versions 1.0.1 through 8.9.0, 8.5.9, and 7.19.23. It is categorized as a "Denial of Service (DoS)" vulnerability with a CVSS score of 7.5. This vulnerability could be exploited remotely to cause a denial of service by exhausting server resources, potentially disrupting service availability.
- CVE-2024-29131: CVE-2024-29131, impacting Atlassian Confluence Data Centre and Confluence Server versions 1.0.1 through 8.9.0, 8.5.9, and 7.19.23, is another "Denial of Service (DoS)" vulnerability with a CVSS score of 7.5. Exploitation could lead to a denial-of-service condition by overwhelming the server with malicious requests, impacting service availability.
- CVE-2024-21685: CVE-2024-21685 affects Atlassian Jira Core Data Centre versions 9.4.0 through 9.16.0, with a CVSS score of 7.4. It is classified as an "Information Disclosure" vulnerability where unauthorized users could gain access to sensitive information due to inadequate access controls. It affects Atlassian Jira Service Management Data Centre and Server versions 5.4.0 through 5.16.0, with a CVSS score of 7.4. Like its Jira Core counterpart, this vulnerability allows unauthorized access to sensitive information due to insufficient access controls.
RECOMMENDATION:
We strongly recommend you update Atlassian products to below versions:
- Confluence Data Centre and server to version 8.5.11 (LTS) , 7.19.24 (LTS) and 8.9.3 (data centre only).
- Jira Data Center and Server to versions 9.12.8 to 9.12.10 (LTS) , 9.4.21 to 9.4.23 (LTS) and 9.16.0 to 9.16.1 (Data Center Only)
- Jira Service Management Data Center and Server 5.12.8 to 5.12.10 (LTS) , 5.4.21 to 5.4.23 (LTS) and 5.16.0 to 5.16.1 (Data Center Only)
REFERENCES:
The following reports contain further technical details:
https://securityaffairs.com/164743/security/atlassian-confluence-crucible-jira-flaws.html
