Security Bulletin - January 16 2024

Security Advisories & Bulletins

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

January 2024 Security Bulletin

The vulnerabilities reported in this security bulletin include 28 high-severity vulnerabilities which have been fixed in new versions of our products, as detailed below. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third-party library scans. 

NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary. 

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Released Security Vulnerabilities
SummarySeverityCVSS ScoreAffected VersionsCVE IDMore DetailsPublic Date
Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and ServerHigh7.5All versions including and after 9.4.0CVE-2022-42252JSWSERVER-25468Jan 16, 2024
XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2020-25649JSWSERVER-25461Jan 16, 2024
SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and ServerHigh7.1All versions including and after 4.20.0CVE-2022-44729JSDSERVER-14958Jan 16, 2024
Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and ServerHigh7.5All versions including and after 3.4.6CVE-2021-40690CWD-6190Jan 16, 2024
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and ServerHigh7.5All versions including and after 3.4.6CVE-2023-46589CWD-6191Jan 16, 2024
DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and ServerHigh7.5All versions including and after 7.13.0CVE-2023-3635CONFSERVER-93623Jan 16, 2024
RCE (Remote Code Execution) in Confluence Data Center and ServerHigh7.2All versions including and after 7.13.0CVE-2023-22526CONFSERVER-93516Jan 16, 2024
RCE (Remote Code Execution) in Confluence Data Center and ServerHigh8.3All versions including and after 2.1CONFSERVER-94064Jan 16, 2024
RCE (Remote Code Execution) in Confluence Data Center and ServerHigh8.0All versions including and after 1.0.0CONFSERVER-94065Jan 16, 2024
RCE (Remote Code Execution) in Confluence Data Center and ServerHigh8.6All versions including and after 1.0.0CONFSERVER-94066Jan 16, 2024
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-43642BSERV-19100Jan 16, 2024
DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-6481BSERV-19099Jan 16, 2024
DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-6378BSERV-19098Jan 16, 2024
Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-46589BSERV-19097Jan 16, 2024
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-34455BSERV-19096Jan 16, 2024
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-34454BSERV-19095Jan 16, 2024
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2023-34453BSERV-19094Jan 16, 2024
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 8.9.0CVE-2023-36478BSERV-19044Jan 16, 2024
DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.17.0CVE-2023-5072BSERV-19037Jan 16, 2024
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.1CVE-2023-36478BAM-25623Jan 16, 2024
DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.1CVE-2023-39410BAM-25622Jan 16, 2024
RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and ServerHigh8.8All versions including and after 9.2.1CVE-2020-26217BAM-25614Jan 16, 2024
DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.1CVE-2017-7957BAM-25613Jan 16, 2024
Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.1CVE-2022-4244BAM-25612Jan 16, 2024
RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and ServerHigh8.8All versions including and after 9.1.0CVE-2018-10054BAM-25609Jan 16, 2024
DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.3CVE-2023-5072BAM-25607Jan 16, 2024
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.1CVE-2023-46589BAM-25606Jan 16, 2024
DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and ServerHigh7.5All versions including and after 9.2.1CVE-2022-40152BAM-25640Jan 16, 2024

What you need to do

To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.

ProductFix Recommendation
Bitbucket Data CenterPatch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, 8.16.2, 8.17.0 or latest
Bitbucket ServerPatch to a minimum fix version of 7.21.21, 8.9.9, 8.13.5, 8.14.4
Bamboo Data Center and ServerPatch to a minimum fix version of 9.2.9, 9.3.6, 9.4.2 or latest
Jira Data Center and ServerPatch to a minimum fix version of 9.4.13, 9.7.0 or latest
Jira Service Management Data Center and ServerPatch to a minimum fix version of 4.20.30, 5.4.15, 5.12.2 or latest
Crowd Data Center and ServerPatch to a minimum fix version of 5.2.2 or latest
Confluence Data CenterPatch to a minimum fix version of 7.19.18, 8.5.5, 8.7.2 or latest
Confluence ServerPatch to a minimum fix version of 7.19.18, 8.5.5

To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Jan 26, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.