Security Bulletin - November 21 2023

November 2023 Security Bulletin

It is important to note that the issues included in this bulletin are a recent increase in scope of our disclosures, previously we focused on disclosing first-party, critical-severity vulnerabilities via critical advisories. The high-severity vulnerabilities included in this bulletin have a lower impact from the critical advisories we have published previously. While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products.

The vulnerabilities reported in this security bulletin include 26 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third party library scans.

tip/resting Created with Sketch.

Questions about the bulletin? Read more about this new format here.

Released Security Vulnerabilities
SummarySeverityCVSS ScoreAffected VersionsCVE IDMore DetailsPublic Date
Info Disclosure com.google.guava:guava in Jira Software Data Center and ServerHigh7.1All versions including and after 8.20.0CVE-2023-2976JSWSERVER-25415Nov 21, 2023
DoS (Denial of Service) com.google.code.gson:gson in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2022-25647JSWSERVER-25412Nov 21, 2023
DoS (Denial of Service) org.jsoup:jsoup in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2021-37714JSWSERVER-25410Nov 21, 2023
Deserialization com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2022-42004JSWSERVER-25409Nov 21, 2023
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2022-42003JSWSERVER-25408Nov 21, 2023
DoS (Denial of Service) jackson-databind in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2021-46877JSWSERVER-25407Nov 21, 2023
DoS (Denial of Service) com.fasterxml.jackson.core in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2020-36518JSWSERVER-25406Nov 21, 2023
DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2023-42794JSWSERVER-25400Nov 21, 2023
DoS (Denial of Service) io.netty:netty-codec-http2 in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2023-44487JSWSERVER-25398Nov 21, 2023
Cache Poisoning org.eclipse.jetty:jetty-server in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2017-7656JSWSERVER-22148Nov 21, 2023
DoS (Denial of Service) org.eclipse.jetty:jetty-io in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2021-28165JSWSERVER-22145Nov 21, 2023
Info Disclosure org.eclipse.jetty:jetty-util in Jira Software Data Center and ServerHigh7.5All versions including and after 8.20.0CVE-2017-9735JSWSERVER-22141Nov 21, 2023
RCE (Remote Code Execution) in Crowd Data Center and ServerHigh8All versions including and after 3.4.6CVE-2023-22521CWD-6139Nov 21, 2023
SSRF org.apache.xmlgraphics in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2022-41704CONFSERVER-93179Nov 21, 2023
SSRF org.apache.xmlgraphics:batik-bridge in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2022-40146CONFSERVER-93178Nov 21, 2023
XSS org.apache.xmlgraphics:batik-script in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2022-42890CONFSERVER-93175Nov 21, 2023
org.apache.tomcat:tomcat-catalina Vulnerability in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2022-45143CONFSERVER-93173Nov 21, 2023
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2022-28366CONFSERVER-93169Nov 21, 2023
Request Smuggling org.apache.tomcat:tomcat-coyote in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2022-42252CONFSERVER-93168Nov 21, 2023
DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2023-42794CONFSERVER-93164Nov 21, 2023
DoS (Denial of Service) io.netty:netty-codec-http2 in Confluence Data Center and ServerHigh7.5All versions including and after 6.13.0CVE-2023-44487CONFSERVER-93163Nov 21, 2023
Third-Party Dependency in Bitbucket Data Center and ServerHigh7.5All versions including and after 7.21.0CVE-2021-40690BSERV-18986Nov 21, 2023
DoS (Denial of Service) apache-struts in Bamboo Data Center and ServerHigh7.5All versions including and after 8.1.0CVE-2023-34396BAM-25501Nov 21, 2023
DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Bamboo Data Center and ServerHigh7.5All versions including and after 8.1.0CVE-2023-42794BAM-25470Nov 21, 2023
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote in Bamboo Data Center and ServerHigh7.5All versions including and after 8.1.0CVE-2023-44487BAM-25469Nov 21, 2023
RCE (Remote Code Execution) in Bamboo Data Center and ServerHigh8.5All versions including and after 8.1.0CVE-2023-22516BAM-25168Nov 21, 2023

What you need to do

To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.

ProductFix Recommendation
Crowd Data Center and ServerPatch to a minimum fix version of 5.1.6, 5.2.1 or latest
Confluence Data CenterPatch to a minimum fix version of 8.6.1 or latest
Confluence ServerPatch to a minimum fix version of 8.5.4 or latest
Bitbucket Data Center and ServerPatch to a minimum fix version of 7.21.18 or latest
Bamboo Data Center and ServerPatch to a minimum fix version of 9.2.7, 9.3.4, 9.3.5 or latest
Jira Data Center and ServerPatch to a minimum fix version of 9.12.0 or latest

To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Jan 16, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.