Security Bulletin - July 16 2024

Security Advisories & Bulletins

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

July 2024 Security Bulletin

This Security Bulletin includes 11 high-severity vulnerabilities which have been addressed in the noted Fixed Versions released in the past month. These vulnerabilities were discovered via our Bug Bounty program, pen-testing processes, and third-party library scans.

To fix all of the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions. The listed Fixed Versions for each product are current as of July 16, 2024 (date of publication); visit the linked product Release Notes for the most up-to-date versions.

NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Released Security Vulnerabilities
Product & Release NotesAffected VersionsFixed VersionVulnerability SummaryCVE IDCVSS Severity
Bamboo Data Center and Server
  • 9.6.0 to 9.6.3 (LTS)
  • 9.5.0 to 9.5.4
  • 9.4.0 to 9.4.4
  • 9.3.0 to 9.3.6
  • 9.2.1 to 9.2.15 (LTS)
  • 9.1.0 to 9.1.3
  • 9.0.0 to 9.0.4
  • 9.6.4 (LTS) recommended Data Center Only
  • 9.2.16 (LTS)
File Inclusion in Bamboo Data Center and ServerCVE-2024-216878.1 High
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bamboo Data Center and ServerCVE-2024-222628.1 High
Confluence Data Center and Server
  • 8.9.0 to 8.9.3
  • 8.8.0 to 8.8.1
  • 8.7.1 to 8.7.2
  • 8.6.0 to 8.6.2
  • 8.5.0 to 8.5.11 (LTS)
  • 8.4.0 to 8.4.5
  • 8.3.0 to 8.3.4
  • 8.2.0 to 8.2.3
  • 8.1.0 to 8.1.4
  • 8.0.0 to 8.0.4
  • 7.20.0 to 7.20.3
  • 7.19.0 to 7.19.24 (LTS)
  • 8.9.4 Data Center Only
  • 8.5.12 (LTS) recommended
  • 7.19.25 (LTS)
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and ServerCVE-2021-360907.5 High
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and ServerCVE-2021-355177.5 High
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and ServerCVE-2021-355167.5 High
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and ServerCVE-2021-355157.5 High
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and ServerCVE-2019-124027.5 High
Third-Party Dependency in Confluence Data Center and Server

CVE-2023-22025
CVE-2023-22081
CVE-2024-20918
CVE-2024-20919
CVE-2024-20921
CVE-2024-20926
CVE-2024-20932
CVE-2024-20945
CVE-2024-20952
CVE-2024-21011
CVE-2024-21012
CVE-2024-21068
CVE-2024-21085
CVE-2024-21094

7.4 High
Stored XSS in Confluence Data Center and ServerCVE-2024-216867.3 High
Jira Data Center and Server
  • 9.7.0 to 9.7.2
  • 9.6.0
  • 9.5.0 to 9.5.1
  • 9.4.0 to 9.4.17 (LTS)
  • 9.3.0 to 9.3.3
  • 9.2.0 to 9.2.1
  • 9.1.0 to 9.1.1
  • 9.8.0 or later
  • 9.12.0 to 9.12.11 (LTS) recommended
  • 9.4.18 to 9.4.24 (LTS)
DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Software Data Center and ServerCVE-2022-419667.5 High
Jira Service Management Data Center and Server
  • 5.7.0 to 5.7.2
  • 5.6.0
  • 5.5.0 to 5.5.1
  • 5.4.0 to 5.4.17 (LTS)
  • 5.3.0 to 5.3.3
  • 5.2.0 to 5.2.1
  • 5.1.0 to 5.1.1
  • 5.8.0 or later
  • 5.12.0 to 5.12.11 (LTS) recommended
  • 5.4.18 to 5.4.24 (LTS)
DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Service Management Data Center and ServerCVE-2022-419667.5 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.

  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Jul 18, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.