Atlassian Patches Critical Flaw In Bamboo Server And Other 24 Flaws

A critical Bamboo Data Center and Server vulnerability has been discovered with a critical vulnerability which has been given CVE-2024-1597 and the severity was given as 10.0 (Critical).

This particular vulnerability was specifically mentioned by Atlassian that it is a non-atlassian Bamboo dependency.

“Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. ” reads the security bulletin from Atlassian. 

Alongside of this, there were 24 other vulnerabilities that were fixed by Atlassian in several other products such as Bitbucket Data center and server, Confluence data center and server and Jira Software Data center and server.

The fixed vulnerabilities were related to several flaws including Denial of Service, Path Traversal, Remote Code execution and Server-side Request Forgery.

Atlassian Patches 24 Flaws

According to the reports shared with Cyber Security News, the critical vulnerability in the Bamboo Data Center and Server was associated with SQLi (SQL injection) in the org.postgresql:postgresql dependency.

This vulnerability could allow a threat actor to expose assets in the vulnerable environment without any user interaction. 

However, Atlassian has claimed that this was an “unexploitable Critical severity vulnerability” which is assessed with low risk to Atlassian.

This particular vulnerability exists in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server.

Apart from this, there was another high severity vulnerability addressed by Atlassian which was associated with Denial of service on the Bamboo Data Center and Server.

This DoS vulnerability exists in the software.amazon.ion:ion-java and the CVE has been assigned with CVE-2024-21634 with severity as 7.8 (High).

Additional information on the security bulletin by Atlassian stated about Bitbucket Data center in which another Denial of service vulnerability was patched that had the same DoS CVE of Bamboo Data Center and Server vulnerability. 

However, the Confluence Data Center and Server product had a Path Traversal and a Denial of Service vulnerabilities that were fixed as part of this security bulletin.

The CVEs for these vulnerabilities were given as CVE-2024-21677 (8.3 – High) and CVE-2023-36478 (7.5 – High).

The Jira Software Data Center and Server was one the products that had nearly 20 vulnerabilities fixed. Among these vulnerabilities nearly, there were 

• 3 Remote Code Execution vulnerabilities (CVE-2022-42890, CVE-2022-41704, CVE-2022-34169)
• 1 Server-side Request Forgery vulnerability (CVE-2022-40146) and
• 17 Denial of Service vulnerabilities.
  • CVE-2022-40150
  • CVE-2023-34455
  • CVE-2023-1436
  • CVE-2022-45685
  • CVE-2022-29546
  • CVE-2022-40149
  • CVE-2023-39410
  • CVE-2023-34454
  • CVE-2023-34453
  • CVE-2023-43642
  • CVE-2022-3509
  • CVE-2022-3171
  • CVE-2023-5072
  • CVE-2022-45688
  • CVE-2022-24839
  • CVE-2022-28366

Furthermore, the fixed versions and other information can be found in the security bulletin from Atlassian.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.