{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-040.pdf"
    },
    "title": "Vulnerabilities in Atlassian Products",
    "serial_number": "2024-040",
    "publish_date": "17-04-2024 09:31:38",
    "description": "On April 16, 2024, Atlassian released a security advisory addressing 7 high vulnerabilities in Bamboo Data Center, Confluence Data Center, Jira Software Data Center, and Jira Service Management Data Center.<br>\nIt is recommended updating as soon as possible prioritising internet facing instances.<br>\n",
    "url_title": "2024-040",
    "content_markdown": "---\ntitle: 'Vulnerabilities in\u00a0Atlassian\u00a0Products'\nnumber: '2024-040'\nversion: '1.0'\noriginal_date: 'April 16, 2024'\ndate: 'April 17, 2024'\n---\n\n_History:_\n\n* _17/04/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn April 16, 2024, Atlassian released a security advisory addressing 7 high vulnerabilities in Bamboo Data Center, Confluence Data Center, Jira Software Data Center, and Jira Service Management Data Center [1].\n\nIt is recommended updating as soon as possible prioritising internet facing instances.\n\n# Technical Details\n\nAll the vulnerabilities, with CVSS scores ranging from 7.5 to 8.2, are caused by vulnerable dependencies used by Atlassian\u00a0products. If exploited, these vulnerabilities could allow an attacker to expose assets in internal environments susceptible to exploitation, or to cause denial of service condition [1].\n\n# Affected Products\n\nThe list of affected products includes:\n\n- **Bamboo Data Center** versions 9.6.0, 9.5.0 to 9.5.2, 9.4.0 to 9.4.3, 9.3.0 to 9.3.6, 9.2.0 to 9.2.12 (LTS), 9.1.0 to 9.1.3, 9.0.0 to 9.0.4, 8.2.0 to 8.2.9, and any earlier versions.\n- **Confluence Data Center** versions 8.7.0, 8.6.0 to 8.6.2, 8.5.0 to 8.5.6 (LTS), 8.4.0 to 8.4.5, 8.3.0 to 8.3.4, 8.2.0 to 8.2.3, 8.1.0 to 8.1.4, 8.0.0 to 8.0.4, 7.20.0 to 7.20.3, 7.19.0 to 7.19.19 (LTS), 7.18.0 to 7.18.3, 7.17.0 to 7.17.5, and any earlier versions.\n- **Jira Software Data Center** versions 9.14.0 to 9.14.1, 9.13.0 to 9.13.1, 9.12.0 to 9.12.5 LTS, 9.11.0 to 9.11.3, 9.10.0 to 9.10.2, 9.9.0 to 9.9.2, 9.8.0 to 9.8.2, 9.7.0 to 9.7.2, 9.6.0, 9.5.0 to 9.5.1, 9.4.0 to 9.4.17 LTS, 9.3.0 to 9.3.3, 9.2.0 to 9.2.1, 9.1.0 to 9.1.1, 9.0.0, and any earlier versions\n- **Jira Service Management Data Center** versions 5.12.0 to 5.12.5 (LTS), 5.11.0 to 5.11.3, 5.10.0 to 5.10.2, 5.9.0 to 5.9.2, 5.8.0 to 5.8.2, 5.7.0 to 5.7.2, 5.6.0 to 5.6.2, 5.5.0 to 5.5.1, 5.4.0 to 5.4.18 (LTS), and any earlier versions\n\n# Recommendations\n\nCERT-EU strongly recommends installing the latest version of Atlassian products, prioritising internet facing instances.\n\n# References\n\n[1] <https://confluence.atlassian.com/security/security-bulletin-april-16-2024-1387857429.html>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/04/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On April 16, 2024, Atlassian released a security advisory addressing 7 high vulnerabilities in Bamboo Data Center, Confluence Data Center, Jira Software Data Center, and Jira Service Management Data Center [1].</p><p>It is recommended updating as soon as possible prioritising internet facing instances.</p><h2 id=\"technical-details\">Technical Details</h2><p>All the vulnerabilities, with CVSS scores ranging from 7.5 to 8.2, are caused by vulnerable dependencies used by Atlassian\u00a0products. If exploited, these vulnerabilities could allow an attacker to expose assets in internal environments susceptible to exploitation, or to cause denial of service condition [1].</p><h2 id=\"affected-products\">Affected Products</h2><p>The list of affected products includes:</p><ul><li><strong>Bamboo Data Center</strong> versions 9.6.0, 9.5.0 to 9.5.2, 9.4.0 to 9.4.3, 9.3.0 to 9.3.6, 9.2.0 to 9.2.12 (LTS), 9.1.0 to 9.1.3, 9.0.0 to 9.0.4, 8.2.0 to 8.2.9, and any earlier versions.</li><li><strong>Confluence Data Center</strong> versions 8.7.0, 8.6.0 to 8.6.2, 8.5.0 to 8.5.6 (LTS), 8.4.0 to 8.4.5, 8.3.0 to 8.3.4, 8.2.0 to 8.2.3, 8.1.0 to 8.1.4, 8.0.0 to 8.0.4, 7.20.0 to 7.20.3, 7.19.0 to 7.19.19 (LTS), 7.18.0 to 7.18.3, 7.17.0 to 7.17.5, and any earlier versions.</li><li><strong>Jira Software Data Center</strong> versions 9.14.0 to 9.14.1, 9.13.0 to 9.13.1, 9.12.0 to 9.12.5 LTS, 9.11.0 to 9.11.3, 9.10.0 to 9.10.2, 9.9.0 to 9.9.2, 9.8.0 to 9.8.2, 9.7.0 to 9.7.2, 9.6.0, 9.5.0 to 9.5.1, 9.4.0 to 9.4.17 LTS, 9.3.0 to 9.3.3, 9.2.0 to 9.2.1, 9.1.0 to 9.1.1, 9.0.0, and any earlier versions</li><li><strong>Jira Service Management Data Center</strong> versions 5.12.0 to 5.12.5 (LTS), 5.11.0 to 5.11.3, 5.10.0 to 5.10.2, 5.9.0 to 5.9.2, 5.8.0 to 5.8.2, 5.7.0 to 5.7.2, 5.6.0 to 5.6.2, 5.5.0 to 5.5.1, 5.4.0 to 5.4.18 (LTS), and any earlier versions</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends installing the latest version of Atlassian products, prioritising internet facing instances.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/security/security-bulletin-april-16-2024-1387857429.html\">https://confluence.atlassian.com/security/security-bulletin-april-16-2024-1387857429.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}