Security Bulletin - February 20 2024

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

February 2024 Security Bulletin

This bulletin addresses vulnerabilities that have been resolved in Atlassian self-managed products.

The vulnerabilities reported in this security bulletin include 11 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program, pen-testing processes, and third-party library scans. 

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of Feb. 20, 2024 (date of publication); visit the linked product Release Notes for the most up-to-date versions. 

NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary. 

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

tip/resting Created with Sketch.

Read more about our February bulletin updates and provide feedback on our Community Post here.

Released Security Vulnerabilities

Product & Release Notes

Affected Versions

Fixed Versions

Vulnerability Summary

CVE ID

CVSS Severity

Confluence Data Center and Server

  • from 8.7.0 to 8.7.1

  • from 8.6.0 to 8.6.2

  • from 8.5.0 (LTS) to 8.5.4 (LTS)

  • from 8.4.0 to 8.4.5

  • from 8.3.0 to 8.3.4

  • from 8.2.0 to 8.2.3

  • from 8.1.0 to 8.1.4

  • from 8.0.0 to 8.0.4

  • from 7.20.0 to 7.20.3

  • from 7.19.0 (LTS) to 7.19.18 (LTS)

  • from 7.18.0 to 7.18.3

  • from 7.17.0 to 7.17.5

  • Any earlier versions

  • 8.8.0 recommended or 8.7.2 Data Center Only

  • 8.5.6 (LTS) or 8.5.5 (LTS)

  • 7.19.19 (LTS)

Stored XSS in Confluence Data Center

CVE-2024-21678

8.5 High

DoS (Denial of Service) org.json:json Dependency in Confluence Data Center and Server

CVE-2023-5072

7.5 High

DoS (Denial of Service) ch.qos.logback:logback-classic Dependency in Confluence Data Center and Server

CVE-2023-6481

7.5 High

DoS (Denial of Service) ch.qos.logback:logback-classic Dependency in Confluence Data Center and Server

CVE-2023-6378

7.5 High

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server

CVE-2023-46589

7.5 High

DoS (Denial of Service) org.apache.avro:avro Dependency in Confluence Data Center and Server

CVE-2023-39410

7.5 High

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Confluence Data Center and Server

CVE-2023-41835

7.5 High

com.google.guava:guava Dependency in Confluence Data Center and Server

CVE-2023-2976

7.1 High

Jira Software Data Center and Server

  • from 9.12.0 (LTS) to 9.12.1 (LTS)

  • from 9.11.0 to 9.11.3

  • from 9.10.0 to 9.10.2

  • from 9.9.0 to 9.9.2

  • from 9.8.0 to 9.8.2

  • from 9.7.0 to 9.7.2

  • 9.6.0

  • from 9.5.0 to 9.5.1

  • from 9.4.0 (LTS) to 9.4.14 (LTS)

  • from 9.3.0 to 9.3.3

  • from 9.2.0 to 9.2.1

  • from 9.1.0 to 9.1.1

  • 9.0

  • from 8.22.0 to 8.22.6

  • Any earlier versions

  • 9.14.0 recommended or 9.13.1 or 9.13.0 Data Center Only

  • 9.12.4 (LTS), or 9.12.3 (LTS) or 9.12.2 (LTS)

  • 9.4.17 (LTS) or 9.4.16 (LTS) or 9.4.15 (LTS)

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

CVE-2023-46589

7.5 High

Assets Discovery

  • from 6.0.0 - 6.2.0, “6.2.0-jira-dc-8”

  • Any earlier versions

  • 7.0.0 recommended or 6.2.1

Injection Vulnerability in Assets Discovery

CVE-2024-21682

7.2 High

Jira Service Management Data Center and Server

  • 5.13.0

  • from 5.12.0 (LTS) to 5.12.2 (LTS)

  • from 5.11.0 to 5.11.3

  • from 5.10.0 to 5.10.2

  • from 5.9.0 to 5.9.2

  • from 5.8.0 to 5.8.2

  • from 5.7.0 to 5.7.2

  • from 5.6.0 to 5.6.2

  • from 5.5.0 to 5.5.1

  • from 5.4.0 (LTS) to 5.4.15 (LTS)

  • from 5.3.0 to 5.3.1

  • from 5.2.0 to 5.2.1

  • from 5.1.0 to 5.1.1

  • 5.0

  • from 4.22.0 to 4.22.6

  • Any earlier versions

  • 5.14.0 recommended or 5.13.1 Data Center Only

  • 5.12.4 (LTS) or 5.12.3 (LTS)

  • 5.4.17 (LTS) or 5.4.16 (LTS)

com.google.guava:guava Dependency in Jira Service Management Data Center and Server

CVE-2023-2976

7.1 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.
  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table. 

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.


Last modified on Feb 22, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.