Atlassian Security Updates (CVE)

CVE-2021-42574 - Unrendered Unicode bidirectional override characters in multiple products

A new ‘High’ vulnerability was released at, November 1, 2021. 

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Bamboo Server and Data Center

  • Bitbucket Server and Data Center

  • Confluence Server and Data Center

  • Crucible

  • Fisheye

  • Jira Service Management Server and Data Center (and Insight Asset Management app)

  • Jira Software Server and Data Center (including Jira Core)

  • Jira and Confluence Server mobile apps

Description

A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Acknowledgements

The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. 

CVE-2018-10054 - Remote Code Execution through Insight - Asset Management

A new ‘Critical’ vulnerability was released at, 20th Oct 2021.

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Insight – Asset Management app

  • Jira Service Management Data Center and Server

Description

Insight – Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.

The combination of the DB import feature introduced by Insight – Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:

The user must be an authenticated Jira user AND
Either of the following privileges within Insight – Asset Management:

  • user or group permission to “Insight administrator”
  • user or group permission to “Object Schema Manager”

CVE-2021-26084 - Confluence Server Webwork OGNL injection

A new ‘Critical’ vulnerability was released at, 25th August 2021.

Severity

This vulnerability is being actively exploited in the wild.
Affected servers should be patched immediately.

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Confluence Server

  • Confluence Data Center

Description

An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 

All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

Acknowledgements

The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.

Einkaufskorb

B/S/H

Die BSH Hausgeräte GmbH ist der größte Hersteller von Haushaltsgeräten in Europa und eines der weltweit führenden Unternehmen in dieser Branche.

Projekte & Lösungen