Pierluigi Paganini
February 21, 2025
Software firm Atlassian released security patches to address 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira products.
The most severe vulnerabilities addressed by the company are:
CVE-2024-50379 – (CVSS score of 9.8) – RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server in Confluence Data Center. The flaw is a TOCTOU race condition in Apache Tomcat that allows RCE on case-insensitive file systems with a non-default write-enabled servlet. Update to 11.0.2, 10.1.34, or 9.0.98.
CVE-2024-56337 – (CVSS score of 9.8) – RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server. The flaw is an Apache Tomcat’s TOCTOU vulnerability, caused by incomplete mitigation for CVE-2024-50379. The vulnerability requires extra config on case-insensitive file systems. Fix in 11.0.3, 10.1.35, 9.0.99.
CVE-2024-52316 – (CVSS score of 9.8) – BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server. An unchecked error in Apache Tomcat’s Jakarta Authentication may allow auth bypass if a custom ServerAuthContext fails without setting an HTTP status. Affects versions 9.0.0-M1–9.0.95, 10.1.0-M1–10.1.30, 11.0.0-M1–11.0.0-M26. Upgrade to 9.0.96, 10.1.31, or 11.0.0.
CVE-2024-50379 – (CVSS score of 9.8) – A TOCTOU race condition in Apache Tomcat allows RCE on case-insensitive file systems. Affects versions 9.0.0.M1-9.0.97, 10.1.0-M1-10.1.33, 11.0.0-M1-11.0.1. Upgrade to 9.0.98, 10.1.34, or 11.0.2.
CVE-2024-56337
The company did not disclose whether these flaws have been exploited in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Atlassian)
