{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-009.pdf"
    },
    "title": "Critical and High Vulnerabilities in Atlassian Products",
    "serial_number": "2024-009",
    "publish_date": "17-01-2024 09:00:28",
    "description": "On January 16, 2024, Atlassian released a security advisory addressing a critical vulnerability in Confluence Data Center and Confluence Server that, if exploited, could lead to Remote Code Execution (RCE) on the affected server.<br>\nThe editor also released a security advisory addressing 28 high-severity vulnerabilities which have been fixed in new versions of Atlassian products.<br>\n",
    "url_title": "2024-009",
    "content_markdown": "---\ntitle: 'Critical and High Vulnerabilities in\u00a0Atlassian\u00a0Products'\nnumber: '2024-009'\nversion: '1.0'\noriginal_date: 'January 16, 2024'\ndate: 'January 17, 2024'\n---\n\n_History:_\n\n* _17/01/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 16, 2024, Atlassian released a security advisory addressing a critical vulnerability in Confluence Data Center and Confluence Server that, if exploited, could lead to Remote Code Execution (RCE) on the affected server [1].\n\nThe editor also released a security advisory addressing 28 high-severity vulnerabilities which have been fixed in new versions of Atlassian products [2].\n\n# Technical Details\n\nThe critical vulnerability `CVE-2023-22527`, with a CVSS score of 10, is due to a template injection vulnerability on out-of-date versions of Confluence Data Center and Server that allows an unauthenticated attacker to achieve RCE on an affected version [1].\n\nAmong the other 28 vulnerabilities [2], 6 of them could lead to Remote Code Execution on several Atlassian products.\n\n\n# Affected Products\n\nThe vulnerability `CVE-2023-22527` affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 (i.e., Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 ), as well as 8.4.5 which no longer receives backported fixes in accordance with Atlassian's Security Bug Fix Policy [1].\n\nThe other 28 vulnerabilities affect [2]:\n\n- Bitbucket Data Center before versions 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2 and 8.17.0;\n- Bitbucket Server\tbefore versions 7.21.21, 8.9.9, 8.13.5 and 8.14.4;\n- Bamboo Data Center and Server before versions 9.2.9, 9.3.6 and 9.4.2;\n- Jira Data Center and Server before versions 9.4.13 and 9.7.0;\n- Jira Service Management Data Center and Server before versions 4.20.30, 5.4.15 and 5.12.2;\n- Crowd Data Center and Server before the version 5.2.2;\n- Confluence Data Center before versions 7.19.18, 8.5.5 and 8.7.2;\n- Confluence Server before versions 7.19.18 and 8.5.5.\n\n\n# Recommendations\n\nCERT-EU strongly recommends installing the latest version of Atlassian products as soon as possible.\n\n# References\n\n[1] <https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html>\n\n[2] <https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/01/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 16, 2024, Atlassian released a security advisory addressing a critical vulnerability in Confluence Data Center and Confluence Server that, if exploited, could lead to Remote Code Execution (RCE) on the affected server [1].</p><p>The editor also released a security advisory addressing 28 high-severity vulnerabilities which have been fixed in new versions of Atlassian products [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The critical vulnerability <code>CVE-2023-22527</code>, with a CVSS score of 10, is due to a template injection vulnerability on out-of-date versions of Confluence Data Center and Server that allows an unauthenticated attacker to achieve RCE on an affected version [1].</p><p>Among the other 28 vulnerabilities [2], 6 of them could lead to Remote Code Execution on several Atlassian products.</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability <code>CVE-2023-22527</code> affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 (i.e., Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 ), as well as 8.4.5 which no longer receives backported fixes in accordance with Atlassian's Security Bug Fix Policy [1].</p><p>The other 28 vulnerabilities affect [2]:</p><ul><li>Bitbucket Data Center before versions 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2 and 8.17.0;</li><li>Bitbucket Server before versions 7.21.21, 8.9.9, 8.13.5 and 8.14.4;</li><li>Bamboo Data Center and Server before versions 9.2.9, 9.3.6 and 9.4.2;</li><li>Jira Data Center and Server before versions 9.4.13 and 9.7.0;</li><li>Jira Service Management Data Center and Server before versions 4.20.30, 5.4.15 and 5.12.2;</li><li>Crowd Data Center and Server before the version 5.2.2;</li><li>Confluence Data Center before versions 7.19.18, 8.5.5 and 8.7.2;</li><li>Confluence Server before versions 7.19.18 and 8.5.5.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends installing the latest version of Atlassian products as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html\">https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html\">https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}