Security Bulletin - December 12 2023
December 2023 Security Bulletin
The December 2023 Security Bulletin is part of Atlassian’s new monthly disclosure of non-critical vulnerabilities. Our goal is to support our customers in taking timely action to protect their instances with increased transparency and regular, proactive updates. Vulnerabilities are identified through Atlassian's ongoing security assessments, which include activities such as our Bug Bounty program, pen-testing processes, and third-party library scans. Read more about Atlassian's Security Bulletins here.
NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.
You can continue to count on receiving Monthly Security Bulletins on the third Tuesday of the month, except for December which we’ll publish on the second Tuesday. We’ve made the adjustment to accommodate the holiday season.
The vulnerabilities reported in this security bulletin include 7 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month.
December 2023 Released Security Vulnerabilities | ||||||
|---|---|---|---|---|---|---|
Summary | Severity | CVSS Score | Affected Versions | CVE ID | More Details | Public Date |
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | Dec 12, 2023 | ||
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | Dec 12, 2023 | ||
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | Dec 12, 2023 | ||
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Vulnerability in Crowd Data Center and Server | High | 7.5 | All versions up to 5.0.7 | Dec 12, 2023 | ||
DoS (Denial of Service) net.minidev:json-smart Vulnerability in Confluence Data Center and Server | High | 7.5 | All versions up to 7.19.16 | Dec 12, 2023 | ||
DoS (Denial of Service) okio in Bitbucket Data Center and Server | High | 7.5 | From 7.17.x to 7.21.17 | Dec 12, 2023 | ||
DoS (Denial of Service) json-java in Bamboo Data Center and Server | High | 7.5 | From 8.1.x to 9.2.6 | Dec 12, 2023 | ||
What you need to do
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.
Product | Fix Recommendation |
|---|---|
Bamboo Data Center and Server | Patch to a minimum fix version of 9.2.7, 9.3.5 or latest |
Jira Service Management Data Center and Server | Patch to a minimum fix version of 4.20.28, 5.4.12 or latest
|
Crowd Data Center and Server | Patch to a minimum fix version of 5.0.8, 5.1.6, 5.2.1 or latest |
Confluence Data Center and Server | Patch to a minimum fix version of 7.19.17, 8.3.4, 8.4.5, 8.5.4, 8.6.2, 8.7.1 or latest |
Bitbucket Data Center and Server | Patch to a minimum fix version of 7.21.18, 8.9.7, 8.11.6, 8.12.4, 8.13.3, 8.14.2 or latest |
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.