Three just-disclosed distant code execution (RCE) safety vulnerabilities open up Atlassian Confluence Knowledge Heart & Server, and Bamboo, to system takeover, the software program firm is warning.
Confluence is a well-liked Internet-based company wiki used for collaboration in cloud and hybrid server environments that permits one-click connections to a wide range of completely different databases. Greater than 60,000 prospects use Confluence, together with LinkedIn, NASA, and the New York Occasions.
Bamboo, in the meantime, is a steady integration (CI) and steady supply (CD) server for software program growth that gives automated constructing and testing of software program source-code standing.
Profitable exploitation of any of the issues might provide a wide-open door into customers’ cloud infrastructure, software program provide chain, and extra. Whereas risk actors have to be authenticated to achieve success, no consumer interplay is required to use the bugs.
In Confluence, the vulnerabilities are tracked as CVE-2023-22505 (CVSS 8.5) and CVE-2023-22508 (CVSS 8.0). Each had been patched in Confluence variations 8.3.2 and eight.4.0.
“This injection and RCE vulnerability enable an authenticated attacker to change the actions taken by a system name and execute arbitrary code which has excessive influence to confidentiality, excessive influence to integrity, excessive influence to availability,” Atlassian famous in its safety advisory on Confluence.
In the meantime, the high-severity situation within the Bamboo Knowledge Heart (CVE-2023-22506, CVSS 7.5) was patched in variations 9.2.3 and 9.3.1.
“[An attacker can] modify the actions taken by a system name and execute arbitrary code which has excessive influence to confidentiality, excessive influence to integrity, excessive influence to availability,” in line with Atlassian.
Given the delicate nature of Atlassian inside company networks, the US Cybersecurity and Infrastructure Safety Company (CISA) is urging that customers apply the patches to their Atlassian cases as quickly as potential.
