Security News > 2023 > December > Atlassian fixes four critical RCE vulnerabilities, patch quickly!
Atlassian has released security updates for four critical vulnerabilities in its various offerings that could be exploited to execute arbitrary code.
CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java that can lead to remote code execution.
The company does not say whether the vulnerabilities have been exploited in the wild, but recommends that users upgrade to the fixed versions as soon as possible.
Temporary mitigations for CVE-2023-22522, CVE-2023-22524 and CVE-2023-22523 are available for users who can't patch immediately.
Atlassian recently patched two vulnerabilities in Confluence Data Center and Server that had been exploited by attackers: a zero-day that stemmed from broken access control, and CVE-2023-22518, a vulnerability that allowed attackers to reset the database of vulnerable instances and create a Confluence instance administrator account.
News URL
https://www.helpnetsecurity.com/2023/12/06/atlassian-critical-vulnerabilities/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Critical vulnerabilities persist in high-risk sectors (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-12-06 | CVE-2023-22524 | Unspecified vulnerability in Atlassian Companion Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. | 9.8 |
2023-12-06 | CVE-2023-22523 | Unspecified vulnerability in Atlassian products This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. | 8.8 |
2023-12-06 | CVE-2023-22522 | Injection vulnerability in Atlassian Confluence Server This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. | 8.8 |
2023-10-31 | CVE-2023-22518 | Incorrect Authorization vulnerability in Atlassian Confluence Data Center All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. | 9.8 |
2022-12-01 | CVE-2022-1471 | Deserialization of Untrusted Data vulnerability in Snakeyaml Project Snakeyaml SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. | 9.8 |