Critical Vulnerability

Critical Vulnerabilities Identified in Multiple Atlassian Products Please Take Immediate Action

Alert

Atlassian Vulnerabilities

 CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products

CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

App Vulnerabilities

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Table of Contents

Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and clients must take immediate action to protect their instances.

Please carefully review all of the Critical Security Advisories impacting your Atlassian product(s) to verify affected versions and instructions. Please review carefully: Server, Data Center, and even some Cloud apps are affected.

CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products



Summary CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products
Advisory Release Date Tue, Dec 05 2023 21:00 PST
Products
  • Automation for Jira app (including Server Lite edition)
  • Bitbucket Data Center
  • Bitbucket Server
  • Confluence Data Center
  • Confluence Server
  • Confluence Cloud Migration App
  • Jira Core Data Center
  • Jira Core Server
  • Jira Service Management Data Center
  • Jira Service Management Server
  • Jira Software Data Center
  • Jira Software Server
CVE ID CVE-2022-1471


Summary of Vulnerability

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

Exclamation (40 x 40 px) Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

 

CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

Summary CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server
Advisory Release Date Tue, Dec 05 2023 21:00 PST
Products
  • Confluence Data Center
  • Confluence Server
CVE ID
Related Jira Ticket(s)

 

Summary of Vulnerability

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and Server versions as listed below are at risk and require immediate attention. 

Exclamation (40 x 40 px)Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

See affected versions and mitigation steps here. 

 


 

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Summary

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Advisory Release Date

Tue, Dec 5 2023 21:00 PST

Products

  • Atlassian Companion App for MacOS for

    • Confluence Server

    • Confluence Data Center

CVE ID

Related Jira Ticket(s)

 

Summary of Vulnerability

All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.

The Atlassian Companion App is an optional desktop application that can be installed on users' devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances. 

Exclamation (40 x 40 px)Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device.

This vulnerability affects the Atlassian Companion App only, not Confluence Data Center and Server or Cloud sites.

The Atlassian Companion App for Windows is not impacted by this vulnerability.


See affected versions and mitigation steps here.


 

CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Summary

CVE-2023-22523 - RCE (Remote Code Execution) Vulnerability in Assets Discovery

Advisory Release Date

Tues, Dec 5 2023 21:00 PST

Products

Assets Discovery for 

  • Jira Service Management Cloud

  • Jira Service Management Server

  • Jira Service Management Data Center

CVE ID

Related Jira Ticket(s)

 

Summary of Vulnerability

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. 

Assets Discovery, which can be downloaded via Atlassian Marketplace, is a stand-alone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.

See affected versions and mitigation steps here.

 



Need help with this?

Atlassian found these vulnerabilities as part of an ongoing security review that they are conducting in addition to their continuous security assessments, and currently, there is no evidence of exploitation. Your security is our top priority, and we believe that acting proactively is the best approach to protecting your data.

Contact us or give us a call at (248) 606-4612. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

Get the most out of your Atlassian tools E7 works side-by-side with you to understand your challenges and then quickly develop a plan to improve team and tool effectiveness. Make the most of your investment by speaking with us today about our packages.

E7 Solutions is an Atlassian Platinum Solution Partner
Atlassian Partner of the Year 2020: Cloud Services
Atlassian Partner of the Year 2019: Cloud
Atlassian-Rising-Star-Partner-Of-The-Year-2018-Award-Badge
Badge_grey_CLOUD_AMER@2x
Badge_grey_ITSM_AMER@2x