Security News > 2023 > December > Atlassian fixes four critical RCE vulnerabilities, patch quickly!
Atlassian has released security updates for four critical vulnerabilities in its various offerings that could be exploited to execute arbitrary code.
CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java that can lead to remote code execution.
The company does not say whether the vulnerabilities have been exploited in the wild, but recommends that users upgrade to the fixed versions as soon as possible.
Temporary mitigations for CVE-2023-22522, CVE-2023-22524 and CVE-2023-22523 are available for users who can't patch immediately.
Atlassian recently patched two vulnerabilities in Confluence Data Center and Server that had been exploited by attackers: a zero-day that stemmed from broken access control, and CVE-2023-22518, a vulnerability that allowed attackers to reset the database of vulnerable instances and create a Confluence instance administrator account.
News URL
https://www.helpnetsecurity.com/2023/12/06/atlassian-critical-vulnerabilities/
Related news
- Exploit code released for critical Ivanti RCE flaw, patch now (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856) (source)
- Critical Progress WhatsUp RCE flaw now under active exploitation (source)
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- Cisco warns of critical RCE zero-days in end of life IP phones (source)
- SolarWinds fixes critical RCE bug affecting all Web Help Desk versions (source)
- Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now (source)
- Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986) (source)
- SolarWinds Releases Patch for Critical Flaw in Web Help Desk Software (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-06 | CVE-2023-22524 | Unspecified vulnerability in Atlassian Companion Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. | 9.8 |
| 2023-12-06 | CVE-2023-22523 | Unspecified vulnerability in Atlassian products This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. | 8.8 |
| 2023-12-06 | CVE-2023-22522 | Injection vulnerability in Atlassian Confluence Server This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. | 8.8 |
| 2023-10-31 | CVE-2023-22518 | Incorrect Authorization vulnerability in Atlassian Confluence Data Center All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. | 9.8 |
| 2022-12-01 | CVE-2022-1471 | Deserialization of Untrusted Data vulnerability in Snakeyaml Project Snakeyaml SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. | 9.8 |