Security News > 2023 > December > Atlassian patches critical RCE flaws across multiple products

Atlassian patches critical RCE flaws across multiple products
2023-12-06 15:49

Atlassian has published security advisories for four critical remote code execution vulnerabilities impacting Confluence, Jira, and Bitbucket servers, along with a companion app for macOS. All security issues addressed received a critical-severity score of at least 9.0 out of 10, based on Atlassian's internal assessment.

Due to the popularity of Atlassian products and their extensive deployment in corporate environments, system administrators should prioritize applying the available updates.

CVE-2022-1471: RCE in SnakeYAML library impacting multiple versions of Jira, Bitbucket, and Confluence products.

If administrators cannot apply the patch immediately, Atlassian recommends administrators to backup affected instances and take them offline.

If administrators are unable to apply the patch for CVE-2023-22524, the company recommends uninstalling the Atlassian Companion App.

December Android updates fix critical zero-click RCE flaw.


News URL

https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-rce-flaws-across-multiple-products/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-12-06 CVE-2023-22524 Unspecified vulnerability in Atlassian Companion
Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability.
network
low complexity
atlassian
critical
9.8
2022-12-01 CVE-2022-1471 Deserialization of Untrusted Data vulnerability in Snakeyaml Project Snakeyaml
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.
network
low complexity
snakeyaml-project CWE-502
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 3 259 104 46 412