Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

ACSC issues high alert regarding major Atlassian vulnerabilities

The Australian Cyber Security Centre has issued a high alert regarding vulnerabilities discovered within three Atlassian products.

user icon Daniel Croft
Fri, 08 Dec 2023
ACSC issues high alert regarding major Atlassian vulnerabilities
expand image

Atlassian customers using a range of versions of Confluence, Jira, and Bitbucket are potentially at risk.

Three of the discovered vulnerabilities (CVE-2023-22522, CVE-2023-22523 and CVE-2022-1471) have been flagged as a concern, all three of which could result in an attacker achieving remote code execution (RCE).

Atlassian has called the first vulnerability, CVE-2023-22522, a “template injection vulnerability”, which would allow a threat actor to inject their own input into a Confluence page. While Atlassian considers this to be the least critical, with a severity level of 9.0, it still has a high rating.

============
============

Similarly, CVE-2023-22523 would allow a bad actor to achieve RCE on devices with Assets Discovery installed.

“Assets Discovery … is a standalone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server,” said Atlassian.

“It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.”

Finally, CVE-2022-1471 is a vulnerability with the SnakeYAML library for Java, which is used by multiple Atlassian Data Centre and Server products. According to Atlassian, the flaw leaves product users vulnerable to a deserialisation flaw that could result in RCE.

Both CVE-2023-22523 and CVE-2022-1471 have a severity rating of 9.8.

In addition to the three vulnerabilities listed above, the ACSC has said that a vulnerability in the MacOS Atlassian Companion Application (CVE-2023-22524) has also been fixed.

“This vulnerability requires user interaction but is still critical, and operators are advised to patch,” it said.

The ACSC has noted that previous critical vulnerabilities discovered in Atlassian products have “had significant exploitation by malicious cyber actors”.

Those operating Confluence, Jira or Bitbucket are advised to apply vendor-recommended mitigations, which include patching to a fixed version and reassessing whether these products need to be internet facing.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.