{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-029.pdf"
    },
    "title": "Vulnerabilities in Atlassian Products",
    "serial_number": "2024-029",
    "publish_date": "20-03-2024 12:48:33",
    "description": "On March 19, 2024, Atlassian released a security advisory addressing 24 high and critical vulnerabilities, among which a critical severity vulnerability in Bamboo Data Center/Server and a high vulnerability in Confluence Data Center and Server.<br>\nIt is recommended updating affected products as soon as possible.<br>\n",
    "url_title": "2024-029",
    "content_markdown": "---\ntitle: 'Vulnerabilities in\u00a0Atlassian\u00a0Products'\nnumber: '2024-029'\nversion: '1.0'\noriginal_date: 'March 19, 2024'\ndate: 'March 20, 2024'\n---\n\n_History:_\n\n* _20/03/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 19, 2024, Atlassian released a security advisory addressing 24 high and critical vulnerabilities, among which a critical severity vulnerability in Bamboo Data Center/Server and a high vulnerability in Confluence Data Center and Server [1,2].\n\nIt is recommended updating affected products as soon as possible.\n\n# Technical Details\n\nThe vulnerability\u00a0**CVE-2024-1597**, with a CVSS score of 10.0, is a SQLi (SQL Injection) vulnerability that could allow an unauthenticated attacker to expose assets in the environment [3].\n\nThe vulnerability\u00a0**CVE-2024-21677**, with a CVSS score of 8.3, is a Path Traversal vulnerability that could allow an unauthenticated attacker to exploit an undefinable vulnerability and requires user interaction [4].\n\nThe other 22 vulnerabilities have a CVSS score of 7.5 and could lead to DoS conditions, Remote Code Execution, or Server-Side Request Forgery on the affected product.\n\n# Affected Products\n\nThe vulnerabilities affect the following products:\n\n- Bamboo Data Center and Server;\n- Bitbucket Data Center and Server;\n- Confluence Data Center and Server;\n- Jira Software Data Center and Server.\n\nPlease refer to the vendor's advisory [1] for a complete list of affected and fixed versions.\n\n# Recommendations\n\nCERT-EU strongly recommends installing the latest version of Atlassian products as soon as possible.\n\n# References\n\n[1] <https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html>\n\n[2] <https://www.atlassian.com/trust/data-protection/vulnerabilities>\n\n[3] <https://jira.atlassian.com/browse/BAM-25716>\n\n[4] <https://jira.atlassian.com/browse/CONFSERVER-94604>",
    "content_html": "<p><em>History:</em></p><ul><li><em>20/03/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 19, 2024, Atlassian released a security advisory addressing 24 high and critical vulnerabilities, among which a critical severity vulnerability in Bamboo Data Center/Server and a high vulnerability in Confluence Data Center and Server [1,2].</p><p>It is recommended updating affected products as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability\u00a0<strong>CVE-2024-1597</strong>, with a CVSS score of 10.0, is a SQLi (SQL Injection) vulnerability that could allow an unauthenticated attacker to expose assets in the environment [3].</p><p>The vulnerability\u00a0<strong>CVE-2024-21677</strong>, with a CVSS score of 8.3, is a Path Traversal vulnerability that could allow an unauthenticated attacker to exploit an undefinable vulnerability and requires user interaction [4].</p><p>The other 22 vulnerabilities have a CVSS score of 7.5 and could lead to DoS conditions, Remote Code Execution, or Server-Side Request Forgery on the affected product.</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerabilities affect the following products:</p><ul><li>Bamboo Data Center and Server;</li><li>Bitbucket Data Center and Server;</li><li>Confluence Data Center and Server;</li><li>Jira Software Data Center and Server.</li></ul><p>Please refer to the vendor's advisory [1] for a complete list of affected and fixed versions.</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends installing the latest version of Atlassian products as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html\">https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.atlassian.com/trust/data-protection/vulnerabilities\">https://www.atlassian.com/trust/data-protection/vulnerabilities</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/BAM-25716\">https://jira.atlassian.com/browse/BAM-25716</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/CONFSERVER-94604\">https://jira.atlassian.com/browse/CONFSERVER-94604</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}