Security Bulletin - January 16 2024
January 2024 Security Bulletin
The vulnerabilities reported in this security bulletin include 28 high-severity vulnerabilities which have been fixed in new versions of our products, as detailed below. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third-party library scans.
NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.
To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.
Released Security Vulnerabilities | ||||||
---|---|---|---|---|---|---|
Summary | Severity | CVSS Score | Affected Versions | CVE ID | More Details | Public Date |
Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server | High | 7.5 | All versions including and after 9.4.0 | CVE-2022-42252 | JSWSERVER-25468 | Jan 16, 2024 |
XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2020-25649 | JSWSERVER-25461 | Jan 16, 2024 |
SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server | High | 7.1 | All versions including and after 4.20.0 | CVE-2022-44729 | JSDSERVER-14958 | Jan 16, 2024 |
Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server | High | 7.5 | All versions including and after 3.4.6 | CVE-2021-40690 | CWD-6190 | Jan 16, 2024 |
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server | High | 7.5 | All versions including and after 3.4.6 | CVE-2023-46589 | CWD-6191 | Jan 16, 2024 |
DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server | High | 7.5 | All versions including and after 7.13.0 | CVE-2023-3635 | CONFSERVER-93623 | Jan 16, 2024 |
RCE (Remote Code Execution) in Confluence Data Center and Server | High | 7.2 | All versions including and after 7.13.0 | CVE-2023-22526 | CONFSERVER-93516 | Jan 16, 2024 |
RCE (Remote Code Execution) in Confluence Data Center and Server | High | 8.3 | All versions including and after 2.1 | CONFSERVER-94064 | Jan 16, 2024 | |
RCE (Remote Code Execution) in Confluence Data Center and Server | High | 8.0 | All versions including and after 1.0.0 | CONFSERVER-94065 | Jan 16, 2024 | |
RCE (Remote Code Execution) in Confluence Data Center and Server | High | 8.6 | All versions including and after 1.0.0 | CONFSERVER-94066 | Jan 16, 2024 | |
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-43642 | BSERV-19100 | Jan 16, 2024 |
DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-6481 | BSERV-19099 | Jan 16, 2024 |
DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-6378 | BSERV-19098 | Jan 16, 2024 |
Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-46589 | BSERV-19097 | Jan 16, 2024 |
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-34455 | BSERV-19096 | Jan 16, 2024 |
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-34454 | BSERV-19095 | Jan 16, 2024 |
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2023-34453 | BSERV-19094 | Jan 16, 2024 |
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 8.9.0 | CVE-2023-36478 | BSERV-19044 | Jan 16, 2024 |
DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2023-5072 | BSERV-19037 | Jan 16, 2024 |
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.1 | CVE-2023-36478 | BAM-25623 | Jan 16, 2024 |
DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.1 | CVE-2023-39410 | BAM-25622 | Jan 16, 2024 |
RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server | High | 8.8 | All versions including and after 9.2.1 | CVE-2020-26217 | BAM-25614 | Jan 16, 2024 |
DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.1 | CVE-2017-7957 | BAM-25613 | Jan 16, 2024 |
Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.1 | CVE-2022-4244 | BAM-25612 | Jan 16, 2024 |
RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server | High | 8.8 | All versions including and after 9.1.0 | CVE-2018-10054 | BAM-25609 | Jan 16, 2024 |
DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.3 | CVE-2023-5072 | BAM-25607 | Jan 16, 2024 |
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.1 | CVE-2023-46589 | BAM-25606 | Jan 16, 2024 |
DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.1 | CVE-2022-40152 | BAM-25640 | Jan 16, 2024 |
What you need to do
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.
Product | Fix Recommendation |
---|---|
Bitbucket Data Center | Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest |
Bitbucket Server | Patch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4 |
Bamboo Data Center and Server | Patch to a minimum fix version of 9.2.9, 9.3.6, 9.4.2 or latest |
Jira Data Center and Server | Patch to a minimum fix version of 9.4.13, 9.7.0 or latest |
Jira Service Management Data Center and Server | Patch to a minimum fix version of 4.20.30, 5.4.15, 5.12.2 or latest |
Crowd Data Center and Server | Patch to a minimum fix version of 5.2.2 or latest |
Confluence Data Center | Patch to a minimum fix version of 7.19.18, 8.5.5, 8.7.2 or latest |
Confluence Server | Patch to a minimum fix version of 7.19.18, 8.5.5 |
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.