Security Bulletin - December 12 2023

December 2023 Security Bulletin

The December 2023 Security Bulletin is part of Atlassian’s new monthly disclosure of non-critical vulnerabilities. Our goal is to support our customers in taking timely action to protect their instances with increased transparency and regular, proactive updates. Vulnerabilities are identified through Atlassian's ongoing security assessments, which include activities such as our Bug Bounty program, pen-testing processes, and third-party library scans. Read more about Atlassian's Security Bulletins here.

NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.

(lightbulb)You can continue to count on receiving Monthly Security Bulletins on the third Tuesday of the month, except for December which we’ll publish on the second Tuesday. We’ve made the adjustment to accommodate the holiday season.

The vulnerabilities reported in this security bulletin include 7 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. 

December 2023 Released Security Vulnerabilities

Summary

Severity

CVSS Score

Affected Versions

CVE ID

More Details

Public Date

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server

High

7.5

All versions including and after 4.20.0

CVE-2022-28366

JSDSERVER-14921

Dec 12, 2023

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server

High

7.5

All versions including and after 4.20.0

CVE-2022-29546

JSDSERVER-14873

Dec 12, 2023

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server

High

7.5

All versions including and after 4.20.0

CVE-2022-24839

JSDSERVER-14872

Dec 12, 2023

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Vulnerability in Crowd Data Center and Server

High

7.5

All versions up to 5.0.7
From 5.1.x to 5.1.5
And 5.2.0

CVE-2023-44487

CWD-6184

Dec 12, 2023

DoS (Denial of Service) net.minidev:json-smart Vulnerability in Confluence Data Center and Server

High

7.5

All versions up to 7.19.16
From 8.0.x to 8.3.3
From 8.4.x to 8.4.5
From 8.5.x to 8.5.4
From 8.6.x to 8.6.2
And 8.7.0

CVE-2021-31684

CONFSERVER-93361

Dec 12, 2023

DoS (Denial of Service) okio in Bitbucket Data Center and Server

High

7.5

From 7.17.x to 7.21.17
From 8.7.x to 8.9.6
From 8.10.x to 8.11.5
From 8.12.x to 8.12.3
From 8.13.x to 8.13.2
From 8.14.x to 8.14.1

CVE-2023-3635

BSERV-19020

Dec 12, 2023

DoS (Denial of Service) json-java in Bamboo Data Center and Server

High

7.5

From 8.1.x to 9.2.6
From 9.3.x to 9.3.4

CVE-2023-5072

BAM-25498

Dec 12, 2023


What you need to do

To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.

Product

Fix Recommendation

Bamboo Data Center and Server

Patch to a minimum fix version of 9.2.7, 9.3.5 or latest

Jira Service Management Data Center and Server

Patch to a minimum fix version of 4.20.28, 5.4.12 or latest

(info) Upgrading Jira to a fixed version is also required.

Crowd Data Center and Server

Patch to a minimum fix version of 5.0.8, 5.1.6, 5.2.1 or latest

Confluence Data Center and Server

Patch to a minimum fix version of 7.19.17, 8.3.4, 8.4.5, 8.5.4, 8.6.2, 8.7.1 or latest

Bitbucket Data Center and Server

Patch to a minimum fix version of 7.21.18, 8.9.7, 8.11.6, 8.12.4, 8.13.3, 8.14.2 or latest

To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Dec 15, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.