Security Bulletin - May 21 2024

Still need help?

The Atlassian Community is here for you.

Ask the community

May 2024 Security Bulletin

The vulnerabilities reported in this Security Bulletin include 35 high-severity vulnerabilities and 2 critical-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program, pen-testing processes, and third-party library scans.

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of May 21, 2024 (date of publication); visit the linked product Release Notes for the most up-to-date versions.

NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.  Please refer to our Data Center Security Best Practices document for more information. 

This month’s Bulletin includes fixes for several third-party CVEs released in years past. The discrepancy between the CVE issue date and the Atlassian fix date does not always mean that affected products have been vulnerable for the lapsed time. In many cases, the application of the dependency did not previously present a risk and only now must be addressed alongside regular product upgrades.

However, as part of our commitment to continuous improvement, Atlassian recently enhanced its existing capabilities around third-party dependent security issues. We will continue to carefully assess the risk of third-party CVEs present in Atlassian products and prioritize mitigating customer exposure while minimizing customer disruption.

Released Security Vulnerabilities
Product & Release NotesAffected VersionsFixed VersionVulnerability SummaryCVE IDCVSS Severity
Bamboo Data Center and Server
  • 9.5.0 to 9.5.1
  • 9.4.0 to 9.4.3
  • 9.3.0 to 9.3.6
  • 9.2.1 to 9.2.13 (LTS)
  • 9.1.0 to 9.1.3
  • 9.0.0 to 9.0.4
  • 9.6.0 to 9.6.2 LTS  Data Center Only recommended
  • 9.5.2 to 9.5.4 Data Center Only
  • 9.4.4
  • 9.2.14 (LTS)
RCE (Remote Code Execution) org.eclipse.jgit:org.eclipse.jgit Dependency in Bamboo Data Center and ServerCVE-2023-47598.8 High
Bitbucket Data Center and Server
  • 8.19.0 to 8.19.2 (LTS)
  • 8.18.0 to 8.18.1
  • 8.17.0 to 8.17.2
  • 8.16.0 to 8.16.4
  • 8.15.0 to 8.15.5
  • 8.14.0 to 8.14.6
  • 8.13.0 to 8.13.6
  • 8.12.0 to 8.12.6
  • 8.11.0 to 8.11.6
  • 8.10.0 to 8.10.6
  • 8.9.0 to 8.9.13 (LTS)
  • 8.8.0 to 8.8.7
  • 8.7.0 to 8.7.5
  • 8.6.0 to 8.6.4
  • 8.5.0 to 8.5.4
  • 8.4.0 to 8.4.4
  • 8.3.0 to 8.3.4
  • 8.2.0 to 8.2.4
  • 8.1.0 to 8.1.5
  • 8.0.1 to 8.0.5
  • 8.19.3 (LTS) recommended Data Center Only
  • 8.9.14 (LTS)
Improper Authorization org.springframework.security:spring-security-core Dependency in Bitbucket Data Center and ServerCVE-2024-222578.2 High
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bitbucket Data Center and ServerCVE-2024-222628.1 High
Confluence Data Center and Server
  • 8.9.0
  • 8.8.0 to 8.8.1
  • 8.7.1 to 8.7.2
  • 8.6.0 to 8.6.2
  • 8.5.0 to 8.5.8 (LTS)
  • 8.4.0 to 8.4.5
  • 8.3.0 to 8.3.4
  • 8.2.0 to 8.2.3
  • 8.1.0 to 8.1.4
  • 8.0.0 to 8.0.4
  • 7.20.0 to 7.20.3
  • 7.19.0 to 7.19.21 (LTS)
  • 8.9.1 Data Center Only
  • 8.5.9 (LTS) recommended
  • 7.19.22 (LTS)

SQLi (SQL Injection) org.postgresql:postgresql Dependency in Confluence Data Center and Server

NOTE: CVE-2024-1597 is a critical vulnerability in a non-Atlassian Confluence dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. 

CVE-2024-15979.8 Critical
Improper Authorization com.hazelcast:hazelcast Dependency in Confluence Data Center and ServerCVE-2023-458597.6 High
DoS (Denial of Service) org.apache.tomcat:tomcat-websocket Dependency in Confluence Data Center and ServerCVE-2024-236727.5 High
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Confluence Data Center and ServerCVE-2024-245497.5 High

RCE (Remote Code Execution) in Confluence Data Center and Server

CVE-2024-21683

7.2 High

Crowd Data Center and Server
  • 5.2.0 to 5.2.4
  • 5.1.0 to 5.1.9
  • 5.0.1 to 5.0.11
  • 5.3.0 to 5.3.1 recommended Data Center Only
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-111138.8 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-111128.8 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-111118.8 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-109698.8 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-109688.8 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-106738.8 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-106728.8 High
Improper Authorization org.springframework.security:spring-security-core Dependency in Crowd Data Center and ServerCVE-2024-222578.2 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361808.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361848.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361888.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361818.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361828.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-246168.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-357288.1 High
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361798.1 High
Security Misconfiguration org.eclipse.jetty:jetty-server Dependency in Crowd Data Center and ServerCVE-2017-76567.5 High
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and ServerCVE-2023-343967.5 High
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and ServerCVE-2023-418357.5 High
Information Disclosure org.eclipse.jetty:jetty-util Dependency in Crowd Data Center and ServerCVE-2017-97357.5 High
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2022-420037.5 High
DoS (Denial of Service) org.eclipse.jetty:jetty-io Dependency in Crowd Data Center and ServerCVE-2021-281657.5 High
Jira Data Center and Server
  • 9.14.0 to 9.14.1
  • 9.13.0 to 9.13.1
  • 9.12.0 to 9.12.6 (LTS)
  • 9.11.0 to 9.11.3
  • 9.10.0 to 9.10.2
  • 9.9.0 to 9.9.2
  • 9.8.0 to 9.8.2
  • 9.7.0 to 9.7.2
  • 9.6.0
  • 9.5.0 to 9.5.1
  • 9.4.0 to 9.4.19 (LTS)
  • 9.3.0 to 9.3.3
  • 9.2.0 to 9.2.1
  • 9.1.0 to 9.1.1
  • 9.0.0
  • 9.15.2 Data Center Only
  • 9.12.7 to 9.12.8 (LTS) recommended
  • 9.4.20 to 9.4.21 (LTS)

SQLi (SQL Injection) org.postgresql:postgresql Dependency in Jira Software Data Center and Server

NOTE: CVE-2024-1597 is a critical vulnerability in a non-Atlassian Jira Software dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. 

CVE-2024-15979.8 Critical
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and ServerCVE-2024-222578.2 High
DoS (Denial of Service) com.google.code.gson:gson Dependency in Jira Software Data Center and ServerCVE-2022-256477.5 High
DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Software Data Center and ServerCVE-2022-419667.5 High
DoS (Denial of Service) org.apache.tomcat:tomcat-websocket Dependency in Jira Software Data Center and ServerCVE-2024-236727.5 High
Jira Service Management Data Center and Server
  • 5.14.0 to 5.14.1
  • 5.13.0 to 5.13.1
  • 5.12.0 to 5.12.6 (LTS)
  • 5.11.0 to 5.11.3
  • 5.10.0 to 5.10.2
  • 5.9.0 to 5.9.2
  • 5.8.0 to 5.8.2
  • 5.7.0 to 5.7.2
  • 5.6.0
  • 5.5.0 to 5.5.1
  • 5.4.0 to 5.4.19 (LTS)
  • 5.3.0 to 5.3.3
  • 5.2.0 to 5.2.1
  • 5.1.0 to 5.1.1
  • 5.0.0
  • 5.15.2
  • 5.12.7 to 5.12.8 (LTS) recommended
  • 5.4.20 to 5.4.21 (LTS)
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Service Management Data Center and ServerCVE-2024-222578.2 High
DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Service Management Data Center and ServerCVE-2024-216347.5 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.
  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Jun 6, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.