Security News > 2023 > December > Atlassian fixes four critical RCE vulnerabilities, patch quickly!
Atlassian has released security updates for four critical vulnerabilities in its various offerings that could be exploited to execute arbitrary code.
CVE-2022-1471 is a deserialization flaw in the SnakeYAML library for Java that can lead to remote code execution.
The company does not say whether the vulnerabilities have been exploited in the wild, but recommends that users upgrade to the fixed versions as soon as possible.
Temporary mitigations for CVE-2023-22522, CVE-2023-22524 and CVE-2023-22523 are available for users who can't patch immediately.
Atlassian recently patched two vulnerabilities in Confluence Data Center and Server that had been exploited by attackers: a zero-day that stemmed from broken access control, and CVE-2023-22518, a vulnerability that allowed attackers to reset the database of vulnerable instances and create a Confluence instance administrator account.
News URL
https://www.helpnetsecurity.com/2023/12/06/atlassian-critical-vulnerabilities/
Related news
- Exploit code released for critical Ivanti RCE flaw, patch now (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Patch Tuesday for September 2024: Microsoft Catches Four Zero-Day Vulnerabilities (source)
- Ivanti fixes critical vulnerabilities in Endpoint Management (CVE-2024-29847) (source)
- D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers (source)
- Broadcom fixes critical RCE bug in VMware vCenter Server (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Patch this critical Safeguard for Privileged Passwords auth bypass flaw (CVE-2024-45488) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-06 | CVE-2023-22524 | Unspecified vulnerability in Atlassian Companion Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. | 9.8 |
| 2023-12-06 | CVE-2023-22523 | Unspecified vulnerability in Atlassian products This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. | 8.8 |
| 2023-12-06 | CVE-2023-22522 | Injection vulnerability in Atlassian Confluence Server This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. | 8.8 |
| 2023-10-31 | CVE-2023-22518 | Incorrect Authorization vulnerability in Atlassian Confluence Data Center All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. | 9.8 |
| 2022-12-01 | CVE-2022-1471 | Deserialization of Untrusted Data vulnerability in Snakeyaml Project Snakeyaml SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. | 9.8 |