Security Advisory 2023-052

Release Date:

RCE Vulnerabilities in Atlassian Products

Download

History:

  • 24/07/2023 --- v1.0 -- Initial publication

Summary

On July 18, 2023, Atlassian has released its Security Bulletin [1] for July 2023 to address vulnerabilities (RCE) in Confluence Data Center & Server (CVE-2023-22505 and CVE-2023-22508) and Bamboo Data Center (CVE-2023-22506). An attacker can exploit these vulnerabilities to take control of an affected system.

Technical Details

CVE-2023-22505: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [2].

CVE-2023-22508: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8.5 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [4].

CVE-2023-22506: This code injection and RCE (Remote Code Execution) vulnerability, with a CVSS score of 7.5 out of 10, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [3]

Affected Products

  • CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server [2].

  • CVE-2023-22508 was introduced in version 7.4.0 of Confluence Data Center & Server [4].

  • CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center [3].

Recommendations

CERT-EU recommends reviewing the latest Atlassian security bulletin and apply the necessary updates [1].

References

[1] https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html

[2] https://jira.atlassian.com/browse/CONFSERVER-88265

[3] https://jira.atlassian.com/browse/BAM-22400

[4] https://jira.atlassian.com/browse/CONFSERVER-88221

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.