Security Bulletin - October 17 2023
October 2023 Security Bulletin
It is important to note that the issues included in this bulletin are a recent increase in scope of our disclosures, previously we focused on disclosing first-party, critical-severity vulnerabilities via critical advisories. The high-severity vulnerabilities included in this bulletin have a lower impact from the critical advisories we have published previously. While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products.
The vulnerabilities reported in this security bulletin include 2 critical and 26 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third party library scans.
Questions about the bulletin? Read more about this new format here.
| Released Security Vulnerabilities | ||||||
|---|---|---|---|---|---|---|
| Summary | Severity | CVSS Score | Affected Versions | CVE ID | More Details | Public Date |
Broken Access Control Vulnerability in Confluence Data Center and Server | Critical | 10.0 | All versions of Confluence Data Center and Server including and after 8.0.0 | Oct 4, 2023 | ||
| XXE (XML External Entity Injection) in Jira Service Management Data Center and Server | Critical | 9.8 | All versions of Jira Service Management Data Center and Server including and after 4.20.0 | CVE-2019-13990 | View Advisory | Oct 17, 2023 |
RCE (Remote Code Execution) in Sourcetree for Mac and Windows | High | 7.8 | All Windows versions including and after 3.4.0 All Mac versions including and after 4.1.0 | Oct 17, 2023 | ||
| com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2022-3509 | JSDSERVER-14755 | Oct 17, 2023 |
| com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2022-3171 | JSDSERVER-14754 | Oct 17, 2023 |
| com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server | High | 5.5 | All versions including and after 4.20.0 | CVE-2021-22569 | JSDSERVER-14753 | Oct 17, 2023 |
| FasterXML Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2022-42004 | JSDSERVER-14752 | Oct 17, 2023 |
| FasterXML Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2022-42003 | JSDSERVER-14751 | Oct 17, 2023 |
| jackson-databind Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2021-46877 | JSDSERVER-14750 | Oct 17, 2023 |
| jackson-databind Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2020-36518 | JSDSERVER-14749 | Oct 17, 2023 |
| Json-smart Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2021-31684 | JSDSERVER-14748 | Oct 17, 2023 |
| Json-smart Vulnerability in Jira Service Management Data Center and Server | High | 7.5 | All versions including and after 4.20.0 | CVE-2023-1370 | JSDSERVER-14746 | Oct 17, 2023 |
| Apache Kafka Connect API Vulnerability in Bitbucket Data Center and Server | High | 8.8 | All versions including and after 7.21.0 | CVE-2023-25194 | BSERV-18834 | Oct 17, 2023 |
| FasterXML Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2022-42004 | BSERV-18833 | Oct 17, 2023 |
| FasterXML Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2022-42003 | BSERV-18832 | Oct 17, 2023 |
| jackson-databind Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2021-46877 | BSERV-18831 | Oct 17, 2023 |
| jackson-databind Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2020-36518 | BSERV-18830 | Oct 17, 2023 |
| com.google.code.gson Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2022-25647 | BSERV-18793 | Oct 17, 2023 |
| Jettison Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2022-45685 | BSERV-18790 | Oct 17, 2023 |
| hutool-json Vulnerability in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.17.0 | CVE-2022-45688 | BSERV-18789 | Oct 17, 2023 |
| Woodstox Vulnerability in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.1.0 | CVE-2022-40152 | BAM-25155 | Oct 17, 2023 |
| FasterXML Vulnerability in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.1.0 | CVE-2022-42004 | BAM-25154 | Oct 17, 2023 |
| FasterXML Vulnerability in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.1.0 | CVE-2022-42003 | BAM-25153 | Oct 17, 2023 |
| jackson-databind Vulnerability in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.1.0 | CVE-2021-46877 | BAM-25152 | Oct 17, 2023 |
| jackson-databind Vulnerability in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.1.0 | CVE-2020-36518 | BAM-25151 | Oct 17, 2023 |
| org.apache.tomcat:tomcat-catalina Vulnerability in Bamboo Data Center and Server | High | 7.5 | All versions including and after 9.2.2 | CVE-2023-28709 | BAM-22601 | Oct 17, 2023 |
What you need to do
To fix all the vulnerabilities in this bulletin, Atlassian recommends upgrading your instances to the latest version, if you're unable to do so, upgrade to the minimum fix version in the table below.
| Product | Fix Recommendation |
|---|---|
Confluence Server and Data Center | Upgrade to a minimum fix version of 8.3.3, 8.4.3, 8.5.2 or latest |
| Jira Service Management Data Center and Server | Upgrade to a minimum fix version of 4.20.27, 5.4.11 or latest |
| Bitbucket Data Center and Server | Upgrade to a minimum fix version of 7.21.16, 8.9.4, 8.10.4, 8.11.3,8.12.1, 8.13.1 or latest |
| Bamboo Data Center and Server | Upgrade to a minimum fix version of 9.2.5, 9.3.1, 9.3.3 or latest |
| Sourcetree for Windows | Upgrade to a minimum fix version of 3.4.15 or latest |
Sourcetree for Mac | Upgrade to minimum fix version of 4.2.5 or latest |
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal