CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira

Atlassian has released Confluence, Crucible, and Jira updates to address multiple high-severity vulnerabilities. The post Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira appeared first on SecurityWeek.

Atlassian security updates

Atlassian this week announced the release of software updates that resolve multiple high-severity vulnerabilities in Confluence, Crucible, and Jira.

The Confluence Data Center and Server update resolves a total of six security defects in various dependencies, all of which were disclosed this year.

Tracked as CVE-2024-22257, the most severe of these flaws is a broken access control issue in the Spring Framework that could allow unauthenticated attackers to expose assets they should not have access to.

Next in line are three server-side request forgery (SSRF) vulnerabilities in the URL parsing functionality of the Spring Framework, which are tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259.

The three security holes are essentially the same bug, but each can be triggered with different output, a NIST advisory for CVE-2024-22262 reads.

Atlassian also updated Confluence Data Center and Server with patches for two out-of-bounds write bugs in Apache Commons Configuration, which could allow unauthenticated attackers to cause a denial-of-service (DoS) condition by submitting a crafted configuration file or input.

Patches for all vulnerabilities have been included in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).

Crucible Data Center and Server versions 4.8.15 and higher address a deserialization of untrusted data vulnerability in the com.google.code.gson:gson package, which could be exploited by unauthenticated attackers to cause a DoS condition. The issue impacts Crucible version 4.8.0 and below.

This week, Atlassian also announced Jira Data Center and Server and Jira Service Management Data Center and Server updates that address an information disclosure vulnerability that can be exploited without authentication.

Tracked as CVE-2024-21685, the security defect was resolved in Jira Data Center and Server versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS), and Jira Service Management Data Center and Server versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).

Atlassian’s June 2024 Security Bulletin makes no mention of any of these vulnerabilities being exploited in the wild.

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Linux Malware Campaign Targets Misconfigured Cloud Servers

Related: Cloudflare Hacked by Suspected State-Sponsored Threat Actor

Latest News

CYBERNEWSMEDIAPublisher