Security Bulletin - April 16 2024

Security Advisories & Bulletins

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

April 2024 Security Bulletin


The vulnerabilities reported in this Security Bulletin include 7 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program, pen-testing processes, and third-party library scans. 

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of April 16, 2024 (date of publication); visit the linked product Release Notes for the most up-to-date versions. 

Feel free to share feedback and discuss this bulletin on our most recent Trust & Security Community Post, and search for CVEs or check your product versions for disclosed vulnerabilities with the Vulnerability Disclosure Portal.


Due to a third-party app compatibility issue, the 9.15.0 and 9.15.1 releases of Jira Software have been removed and shouldn't be installed. Please download and install 9.15.2 instead, which includes both the CVE and compatibility fix. Please reach out to Atlassian Support if you have any questions

Released Security Vulnerabilities
Product & Release NotesAffected VersionsFixed VersionsVulnerability SummaryCVE IDCVSS Severity
Bamboo Data Center and Server
  • 9.6.0
  • 9.5.0 to 9.5.2
  • 9.4.0 to 9.4.3
  • 9.3.0 to 9.3.6
  • 9.2.0 to 9.2.12 (LTS)
  • 9.1.0 to 9.1.3
  • 9.0.0 to 9.0.4
  • 8.2.0 to 8.2.9
  • Any earlier versions
  • 9.6.1 (LTS) recommended 
    Data Center Only
  • 9.5.3 Data Center Only
  • 9.2.13 (LTS)
    8
org.springframework.security:spring-security-core Dependency in Bamboo Data Center and ServerCVE-2024-222578.2 High

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bamboo Data Center and Server

8.1 High
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bamboo Data Center and ServerCVE-2024-222438.1 High
Confluence Data Center and Server
  • 8.8.0 to 8.8.1
  • 8.7.1 to 8.7.2

  • 8.6.0 to 8.6.2

  • 8.5.0 to 8.5.6 (LTS)

  • 8.4.0 to 8.4.5

  • 8.3.0 to 8.3.4

  • 8.2.0 to 8.2.3

  • 8.1.0 to 8.1.4

  • 8.0.0 to 8.0.4

  • 7.20.0 to 7.20.3

  • 7.19.0 to 7.19.19 (LTS)

  • 7.18.0 to 7.18.3

  • 7.17.0 to 7.17.5

  • Any earlier versions
  • 8.9.0 Data Center Only

  • 8.5.7 to 8.5.8 (LTS) recommended

  • 7.19.20 to 7.19.21 (LTS)

DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Confluence Data Center and ServerCVE-2024-216347.5 High
Jira Software Data Center and Server
  • 9.14.0 to 9.14.1
  • 9.13.0 to 9.13.1
  • 9.12.0 to 9.12.5 LTS
  • 9.11.0 to 9.11.3
  • 9.10.0 to 9.10.2
  • 9.9.0 to 9.9.2
  • 9.8.0 to 9.8.2
  • 9.7.0 to 9.7.2
  • 9.6.0
  • 9.5.0 to 9.5.1
  • 9.4.0 to 9.4.17 LTS
  • 9.3.0 to 9.3.3
  • 9.2.0 to 9.2.1
  • 9.1.0 to 9.1.1
  • 9.0.0
  • Any earlier versions
  • 9.15.2 Data Center Only
  • 9.12.6 to 9.12.7 (LTS) recommended
  • 9.4.18 to 9.4.20 (LTS)





DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Software Data Center and ServerCVE-2024-216347.5 High
DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Software Data Center and Server

CVE-2023-1370

7.5 High
  • from 5.12.0 to 5.12.5 (LTS)

  • from 5.11.0 to 5.11.3

  • from 5.10.0 to 5.10.2

  • from 5.9.0 to 5.9.2

  • from 5.8.0 to 5.8.2

  • from 5.7.0 to 5.7.2

  • from 5.6.0 to 5.6.2

  • from 5.5.0 to 5.5.1

  • from 5.4.0 to 5.4.18 (LTS)

  • Any earlier versions

  • 5.15.2, 5.14.0, 5.14.1 Data Center Only

  • 5.12.6 (LTS) recommended

  • 5.4.19 (LTS)

Denial of Service (DoS) com.nimbusds:nimbus-jose-jwt dependency in Jira Service Management Data Center and ServerCVE-2023-52428 7.5 High


Frequently Asked Questions:

  • Are there any mitigations available? There are no mitigations available for CVEs listed in this bulletin
  • I am running a server version of my product - can I still upgrade? Be aware that upgrading with an expired server license will make your instance unavailable.  Please refer to Atlassian's server end of support documentation
  • Why is my Feature Version not listed in a Fixed Version?  You may be using  an  unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.
  • What are the most up-to-date Data Center product versions?  You can always check the  software download portal  or visit the product-specific download pages.
  • I am using an LTS, why is it not listed in the Fixed Versions?  Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy  for more information. We recommend  upgrading your products to the latest versions.  For the latest fixed versions, visit the release notes linked in the vulnerability table. 

  • Questions about the bulletin, have feedback?  Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post



Last modified on May 3, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.