Security Bulletin - July 18 2023

July 2023 Security Bulletin

It is important to note that the issues included in this bulletin are a recent increase in scope of our disclosures, previously we focused on disclosing first party, critical severity vulnerabilities via critical advisories. While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products.

The vulnerabilities reported in this security bulletin include 3 high severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our bug bounty and pen-testing processes, as well as 3rd party library scans.

Released Security Vulnerabilities
SummarySeverityCVSS ScoreAffected VersionsCVE IDMore DetailsPublic Date
RCE (Remote Code Execution) in Confluence Data Center & ServerHigh8

>= 8.0.0
< 8.3.2
< 8.4.0

CVE-2023-22505CONFSERVER-88265Jul 18, 2023
RCE (Remote Code Execution) in Confluence Data Center & ServerHigh8.5

>= 6.1.0
< 7.13.20
< 7.19.8
< 8.2.0

CVE-2023-22508CONFSERVER-88221Jul 18, 2023
Injection, RCE (Remote Code Execution) in BambooHigh7.5

>= 8.0.0
< 9.2.3
< 9.3.1

CVE-2023-22506BAM-22400Jul 18, 2023

What you need to do

To fix all the vulnerabilities in this bulletin, Atlassian recommends upgrading your instances to the latest version, if you're unable to do so, upgrade to the minimum fix version in the table below.


Fix Recommendation

Bamboo Server and Data CenterUpgrade to a minimum fix version of 9.2.3, 9.3.1 or latest
Confluence Server and Data CenterUpgrade to a minimum fix version of 8.3.2, 8.4.0 or latest
Last modified on Aug 3, 2023

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.