{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-052.pdf"
    },
    "title": "RCE Vulnerabilities in Atlassian Products",
    "serial_number": "2023-052",
    "publish_date": "24-07-2023 09:10:35",
    "description": "On July 18, 2023, Atlassian has released its Security Bulletin for July 2023 to address vulnerabilities (RCE) in Confluence Data Center & Server (CVE-2023-22505 and CVE-2023-22508) and Bamboo Data Center (CVE-2023-22506). An attacker can exploit these vulnerabilities to take control of an affected system.<br>\n",
    "url_title": "2023-052",
    "content_markdown": "---\ntitle: 'RCE Vulnerabilities in Atlassian Products'\nversion: '1.0'\nnumber: '2023-052'\noriginal_date: 'July 18, 2023'\ndate: 'July 24, 2023'\n---\n\n_History:_\n\n* _24/07/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn July 18, 2023, Atlassian has released its Security Bulletin [1] for July 2023 to address vulnerabilities (RCE) in Confluence Data Center & Server (**CVE-2023-22505** and **CVE-2023-22508**) and Bamboo Data Center (**CVE-2023-22506**). An attacker can exploit these vulnerabilities to take control of an affected system.\n\n# Technical Details\n\n**CVE-2023-22505**: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [2].\n\n**CVE-2023-22508**: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8.5 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [4].\n\n**CVE-2023-22506**: This code injection and RCE (Remote Code Execution) vulnerability, with a CVSS score of 7.5 out of 10, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [3]\n\n\n# Affected Products\n\n- CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server [2].\n\n- CVE-2023-22508 was introduced in version 7.4.0 of Confluence Data Center & Server [4].\n\n- CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center [3].\n\n# Recommendations\n\nCERT-EU recommends reviewing the latest Atlassian security bulletin and apply the necessary updates [1].\n\n# References\n\n[1] <https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html>\n\n[2] <https://jira.atlassian.com/browse/CONFSERVER-88265>\n\n[3] <https://jira.atlassian.com/browse/BAM-22400>\n\n[4] <https://jira.atlassian.com/browse/CONFSERVER-88221>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>24/07/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 18, 2023, Atlassian has released its Security Bulletin [1] for July 2023 to address vulnerabilities (RCE) in Confluence Data Center &amp; Server (<strong>CVE-2023-22505</strong> and <strong>CVE-2023-22508</strong>) and Bamboo Data Center (<strong>CVE-2023-22506</strong>). An attacker can exploit these vulnerabilities to take control of an affected system.</p><h2 id=\"technical-details\">Technical Details</h2><p><strong>CVE-2023-22505</strong>: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [2].</p><p><strong>CVE-2023-22508</strong>: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8.5 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [4].</p><p><strong>CVE-2023-22506</strong>: This code injection and RCE (Remote Code Execution) vulnerability, with a CVSS score of 7.5 out of 10, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [3]</p><h2 id=\"affected-products\">Affected Products</h2><ul><li><p>CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center &amp; Server [2].</p></li><li><p>CVE-2023-22508 was introduced in version 7.4.0 of Confluence Data Center &amp; Server [4].</p></li><li><p>CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center [3].</p></li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends reviewing the latest Atlassian security bulletin and apply the necessary updates [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html\">https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/CONFSERVER-88265\">https://jira.atlassian.com/browse/CONFSERVER-88265</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/BAM-22400\">https://jira.atlassian.com/browse/BAM-22400</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/CONFSERVER-88221\">https://jira.atlassian.com/browse/CONFSERVER-88221</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}