Share this article on:
The Australian Cyber Security Centre has issued a high alert regarding vulnerabilities discovered within three Atlassian products.
Atlassian customers using a range of versions of Confluence, Jira, and Bitbucket are potentially at risk.
Three of the discovered vulnerabilities (CVE-2023-22522, CVE-2023-22523 and CVE-2022-1471) have been flagged as a concern, all three of which could result in an attacker achieving remote code execution (RCE).
Atlassian has called the first vulnerability, CVE-2023-22522, a “template injection vulnerability”, which would allow a threat actor to inject their own input into a Confluence page. While Atlassian considers this to be the least critical, with a severity level of 9.0, it still has a high rating.
Similarly, CVE-2023-22523 would allow a bad actor to achieve RCE on devices with Assets Discovery installed.
“Assets Discovery … is a standalone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server,” said Atlassian.
“It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.”
Finally, CVE-2022-1471 is a vulnerability with the SnakeYAML library for Java, which is used by multiple Atlassian Data Centre and Server products. According to Atlassian, the flaw leaves product users vulnerable to a deserialisation flaw that could result in RCE.
Both CVE-2023-22523 and CVE-2022-1471 have a severity rating of 9.8.
In addition to the three vulnerabilities listed above, the ACSC has said that a vulnerability in the MacOS Atlassian Companion Application (CVE-2023-22524) has also been fixed.
“This vulnerability requires user interaction but is still critical, and operators are advised to patch,” it said.
The ACSC has noted that previous critical vulnerabilities discovered in Atlassian products have “had significant exploitation by malicious cyber actors”.
Those operating Confluence, Jira or Bitbucket are advised to apply vendor-recommended mitigations, which include patching to a fixed version and reassessing whether these products need to be internet facing.