Atlassian released a security advisory to address a critical severity vulnerability impacting its popular products, Jira and Confluence. Tracked as CVE-2024-1597, the vulnerability has a CVSS score of 9.8. Successful exploitation of the vulnerability may allow an unauthenticated attacker to expose assets in the environment.
The org.postgresql:postgresql dependency vulnerability is only exploited when the instance uses PreferQueryMode=SIMPLE in its SQL database connection settings.
Confluence is a team collaboration software that helps create, collaborate, and organize the team’s work in one place. The software has three hosting options: Cloud, Server, and Data Server.
Jira Software Data Center is an enterprise solution that helps agile teams plan, track, and release software at scale. Organizations can self-host Jira software or access it through managed hosting providers. Jira Software Data Center offers features such as high availability, disaster recovery, custom field optimizer., etc.
Affected and Fixed Versions
Jira Software Data Center and Jira Software Server
| Affected versions | Fixed versions |
| 9.15.0 to 9.15.1 | 9.15.2 Data Center Only |
| 9.14.0 | 9.15.2 Data Center Only |
| 9.13.0 | 9.15.2 Data Center Only |
| 9.12.0 to 9.12.5 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.11.0 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.10.0 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.9.0 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.8.0 to 9.8.2 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.7.0 to 9.7.2 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.6.0 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.5.0 to 9.5.1 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended |
| 9.4.0 to 9.4.18 LTS | 9.15.2 Data Center Only or 9.12.6 LTS Recommended or 9.4.19 LTS |
| 9.3.0 to 9.3.3 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended or 9.4.19 LTS |
| 9.2.0 to 9.2.1 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended or 9.4.19 LTS |
| 9.1.0 to 9.1.1 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended or 9.4.19 LTS |
| 9.0.0 | 9.15.2 Data Center Only or 9.12.6 LTS Recommended or 9.4.19 LTS |
| Any earlier versions | 9.15.2 Data Center Only or 9.12.6 LTS Recommended or 9.4.19 LTS |
The vulnerability does not affect the Jira Software Data Center.
Confluence Data Center and Confluence Server
| Affected versions | Fixed versions |
| 8.9.0 | 8.9.1 |
| from 8.8.0 to 8.8.1 | 8.9.1 |
| from 8.7.0 to 8.7.2 | 8.9.1 |
| from 8.6.0 to 8.6.2 | 8.9.1 |
| from 8.5.0 to 8.5.8 LTS | 8.9.1 or 8.5.9 LTS recommended |
| from 8.4.0 to 8.4.5 | 8.9.1 or 8.5.9 LTS recommended |
| from 8.3.0 to 8.3.4 | 8.9.1 or 8.5.9 LTS recommended |
| from 8.2.0 to 8.2.3 | 8.9.1 or 8.5.9 LTS recommended |
| from 8.1.0 to 8.1.4 | 8.9.1 or 8.5.9 LTS recommended |
| from 8.0.0 to 8.0.4 | 8.9.1 or 8.5.9 LTS recommended |
| from 7.20.0 to 7.20.3 | 8.9.1 or 8.5.9 LTS recommended |
| from 7.19.0 to 7.19.21 LTS | 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS |
| from 7.18.0 to 7.18.3 | 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS |
| from 7.17.0 to 7.17.5 | 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS |
| Any earlier versions | 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS |
The vulnerability does not affect the Confluence Data Center.
For more information, please refer to the Atlassian Security Advisories JSWSERVER-25896 and CONFSERVER-95837.
Qualys Detection
Qualys customers can scan their devices with QIDs 731553 and 731547 to detect vulnerable assets.
Continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://jira.atlassian.com/browse/JSWSERVER-25896
https://jira.atlassian.com/browse/CONFSERVER-95837