Atlassian Patches Critical Vulnerabilities in Multiple Products (CVE-2022-1471, CVE-2023-22522, CVE-2023-22523, & CVE-2023-22524)

Atlassian has released security updates to address four critical vulnerabilities tracked as CVE-2022-1471, CVE-2023-22522, CVE-2023-22523, and CVE-2023-22524. On successful exploitation, all four vulnerabilities allow remote code execution. The vulnerabilities affect products, including Confluence, Jira, Bitbucket servers, and a companion app for macOS. Atlassian has not warned about the active exploitation of any of the vulnerabilities.

Atlassian Confluence Data Center and Confluence Server Improper Authorization Vulnerability (CVE-2023-22518)

Atlassian has addressed a vulnerability in the Confluence Data Center and Confluence Server. CVE-2023-22518 has been given a critical severity vulnerability and a CVSS score of 9.1. Atlassian has not released much information regarding this improper authorization vulnerability. The advisory states that no proof of active exploitation is available for the vulnerability. The advisory states, … Continue reading “Atlassian Confluence Data Center and Confluence Server Improper Authorization Vulnerability (CVE-2023-22518)”

Atlassian Jira Service Management Server and Data Center Broken Authentication Vulnerability (CVE-2023-22501)

Atlassian has released a security advisory to address a critical broken authentication vulnerability in Jira Service Management Server and Data Center (CVE-2023-22501). Under certain conditions, an attacker might use this vulnerability to impersonate another user to access a Jira Service Management instance.    Jira Service Management is designed to unlock high-velocity teams by allowing each team to give … Continue reading “Atlassian Jira Service Management Server and Data Center Broken Authentication Vulnerability (CVE-2023-22501)”

Atlassian Patches Critical Security Misconfiguration Vulnerability in Crowd Server and Data Center (CVE-2022-43782)

Atlassian has released a security update for a critical vulnerability (CVE-2022-43782) in Crowd Server and Data Center. Atlassian Crowd is a centralized identity management application that handles authentication and authorization for web-based applications. This helps in managing users from multiple directories such as Active Directory, LDAP, OpenLDAP, or Microsoft Azure AD. This also controls application … Continue reading “Atlassian Patches Critical Security Misconfiguration Vulnerability in Crowd Server and Data Center (CVE-2022-43782)”

Atlassian Patches Critical Command Injection Vulnerability in Bitbucket Server and Data Center (CVE-2022-43781)

Atlassian has released a security advisory to address a critical vulnerability in Bitbucket Server and Data Center (CVE-2022-43781). Bitbucket is a Git-based code hosting and collaboration tool built for teams. Bitbucket Server is hosted on-premises while the Bitbucket Data Center is hosted on several servers in a cluster in your environment. CVE-2022-43781 is a command … Continue reading “Atlassian Patches Critical Command Injection Vulnerability in Bitbucket Server and Data Center (CVE-2022-43781)”

Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)

Atlassian has released a security advisory to address a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. Tracked as CVE-2022-36804, Atlassian has rated the vulnerability as critical as it affects many Bitbucket Server and Data Server versions. The vulnerability was discovered by @TheGrandPew via Atlassian’s bug bounty program.   Bitbucket is … Continue reading “Atlassian Bitbucket Server and Data Center Command Injection Vulnerability (CVE-2022-36804)”

Atlassian Confluence Server and Confluence Data Center – Questions for Confluence App – Hardcoded Password Vulnerability (CVE-2022-26138)

Atlassian has released a patch to address a hardcoded credentials vulnerability in Confluence Server and Data Center. Tracked as CVE-2022-26138, the vulnerability can allow an unauthenticated, remote attacker to log into vulnerable servers. Atlassian has rated the vulnerability as Critical as there are reports of this vulnerability being exploited in the wild and the hardcoded … Continue reading “Atlassian Confluence Server and Confluence Data Center – Questions for Confluence App – Hardcoded Password Vulnerability (CVE-2022-26138)”

Atlassian Jira Authentication Bypass Vulnerability (CVE-2022-0540)

An authentication bypass vulnerability has been discovered in Atlassian Jira and Jira Service Management products. The vulnerability is being tracked as CVE-2022-0540.   Atlassian has released a public security advisory addressing the critical authentication bypass vulnerability in Seraph, the company’s web application security framework. Note that this vulnerability does not impact the cloud versions of … Continue reading “Atlassian Jira Authentication Bypass Vulnerability (CVE-2022-0540)”

Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability (CVE-2021-26085)

A Pre-Authorization Arbitrary File Read vulnerability was discovered on 21st, July 2021 in Atlassian Confluence Server. The vulnerability (CVE-2021-26085) is found in the versions before 7.4.10 and 7.5.0 to 7.12.2.  Confluence is a knowledge and collaboration environment for teams. Dynamic pages give your team a space to work on any project or concept by allowing them to … Continue reading “Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability (CVE-2021-26085)”

Atlassian Jira Server Template Injection Vulnerability

Atlassian Jira Server and Data Center is vulnerable to a server-side template injection in various resources. This vulnerability was introduced in version 4.4.x and affects versions as recent as 8.2.2 (released on 13 June 2019). CVE-2019–11581 has been assigned to track this vulnerability. Thousands of Jira Servers are potentially affected by this vulnerability and may … Continue reading “Atlassian Jira Server Template Injection Vulnerability”