RCE Vulnerabilities in Atlassian Products
History:
- 24/07/2023 --- v1.0 -- Initial publication
Summary
On July 18, 2023, Atlassian has released its Security Bulletin [1] for July 2023 to address vulnerabilities (RCE) in Confluence Data Center & Server (CVE-2023-22505 and CVE-2023-22508) and Bamboo Data Center (CVE-2023-22506). An attacker can exploit these vulnerabilities to take control of an affected system.
Technical Details
CVE-2023-22505: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [2].
CVE-2023-22508: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8.5 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [4].
CVE-2023-22506: This code injection and RCE (Remote Code Execution) vulnerability, with a CVSS score of 7.5 out of 10, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [3]
Affected Products
CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server [2].
CVE-2023-22508 was introduced in version 7.4.0 of Confluence Data Center & Server [4].
CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center [3].
Recommendations
CERT-EU recommends reviewing the latest Atlassian security bulletin and apply the necessary updates [1].
References
[1] https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html
[2] https://jira.atlassian.com/browse/CONFSERVER-88265