- 234/2024
- High
Atlassian has released security updates to fix several vulnerabilities across multiple Atlassian products.
The addressed vulnerabilities could allow the remote attacker to perform denial of service attacks, conduct cross-site request forgery and server-side request forgery attacks, or execute arbitrary code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Atlassian Crowd Data Center and Server org.springframework:spring-web Dependency SSRF Vulnerability (CVE-2024-22259):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
2. Atlassian Bamboo Data Center and Server RCE Vulnerability (CVE-2024- 21689):
- CVSS: 7.6
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Consequences: Gain Access
The affected products:
- Atlassian Bamboo Data Center and Server.
- Atlassian Confluence Data Center and Server.
- Atlassian Crowd Data Center and Server.
- Atlassian Jira Data Center and Server.
- Atlassian Jira Service Management Data Center and Server.
Vulnerabilities
- CVE-2024-21689
- CVE-2024-29857
- CVE-2024-34750
- CVE-2024-21690
- CVE-2024-22259
- CVE-2024-22243
- CVE-2024-22262
- CVE-2024-34750
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.