Atlassian has issued an email warning customers of four critical vulnerabilities, each rated 9.0 or higher.
Confluence, Jira, and Bitbucket servers, as well as a companion app for macOS are affected. The vulnerabilities, rated at least 9.0 out of 10, include a template injection flaw in Confluence (CVE-2023-22522), a privileged RCE in the Assets Discovery agent affecting Jira Service Management (CVE-2023-22523), a bypass of blocklist and macOS Gatekeeper on the companion app for Confluence (CVE-2023-22524), and an RCE in the SnakeYAML library impacting Jira, Bitbucket, and Confluence products (CVE-2022-1471). Atlassian advises users to update their products to the recommended fixed versions to address the vulnerabilities. Unfortunately, the email contained dead links for some recipients, leading to an error page. Atlassian has apologized for the broken links and advised customers to take immediate action to protect their instances.
https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-rce-flaws-across-multiple-products/
https://www.theregister.com/2023/12/06/atlassian_four_rce_cves/
https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html
This segment was created for the It’s 5:05 podcast
https://505updates.com/2023-12-11-cybersecurity-and-open-source-headlines/