Atlassian released security patches to address four critical remote code execution vulnerabilities in its products.
Below is the list of vulnerabilities addressed by the vendor:
It’s unclear if the above issues are actively exploited in attacks in the wild.
At the end of October 2023, Atlassian warned of a critical security flaw, tracked as CVE-2023-22518 (CVSS score 9.1), that affects all versions of Confluence Data Center and Server.
The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.
In early October, Atlassian released emergency security updates to address a critical zero-day vulnerability, tracked as CVE-2023-22515 (CVSS score 10), in its Confluence Data Center and Server software.
The flaw CVE-2023-22515 is a privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later. A remote attacker can trigger the flaw in low-complexity attacks without any user interaction.
In July, Atlassian addressed three critical and high-severity vulnerabilities impacting the Confluence Server, Data Center, and Bamboo Data Center products. Successful exploitation of the vulnerabilities could result in remote code execution on vulnerable systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)