Security News > 2023 > December > Atlassian fixes four critical RCE vulnerabilities, patch quickly!

Atlassian fixes four critical RCE vulnerabilities, patch quickly!
2023-12-06 14:51

Atlassian has released security updates for four critical vulnerabilities in its various offerings that could be exploited to execute arbitrary code.

CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java that can lead to remote code execution.

The company does not say whether the vulnerabilities have been exploited in the wild, but recommends that users upgrade to the fixed versions as soon as possible.

Temporary mitigations for CVE-2023-22522, CVE-2023-22524 and CVE-2023-22523 are available for users who can't patch immediately.

Atlassian recently patched two vulnerabilities in Confluence Data Center and Server that had been exploited by attackers: a zero-day that stemmed from broken access control, and CVE-2023-22518, a vulnerability that allowed attackers to reset the database of vulnerable instances and create a Confluence instance administrator account.


News URL

https://www.helpnetsecurity.com/2023/12/06/atlassian-critical-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-12-06 CVE-2023-22524 Unspecified vulnerability in Atlassian Companion
Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability.
network
low complexity
atlassian
critical
9.8
2023-12-06 CVE-2023-22523 Unspecified vulnerability in Atlassian products
This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed.
network
low complexity
atlassian
8.8
2023-12-06 CVE-2023-22522 Injection vulnerability in Atlassian Confluence Server
This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page.
network
low complexity
atlassian CWE-74
8.8
2023-10-31 CVE-2023-22518 Incorrect Authorization vulnerability in Atlassian Confluence Data Center
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability.
network
low complexity
atlassian CWE-863
critical
9.8
2022-12-01 CVE-2022-1471 Deserialization of Untrusted Data vulnerability in Snakeyaml Project Snakeyaml
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.
network
low complexity
snakeyaml-project CWE-502
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 3 259 104 46 412