Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Multiple Critical Vulnerabilities in Atlassian Products
Alerts

Multiple Critical Vulnerabilities in Atlassian Products

8 December 2023

Atlassian has released security updates to address multiple critical vulnerabilities (CVE-2023-22522, CVE-2023-22523, CVE-2023-22524 and CVE-2022-1471) impacting various Atlassian products.

The critical vulnerabilities and product versions affected are:

  • CVE-2023-22522: A vulnerability in Confluence Data Center and Server that could allow authenticated users to perform remote code execution (RCE). This vulnerability could also allow unauthenticated users to perform RCE if anonymous access has been granted. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0 out of 10 affecting Confluence Data Center and Server versions after 4.0.0 and up to 8.5.3; and Confluence Data Center versions 8.6.0 & 8.6.1.

  • CVE-2023-22523: A vulnerability in the Assets Discovery component of Jira Service Management Cloud, Server, and Data Center that could allow an attacker to perform RCE. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10 affecting Assets Discovery versions before 3.2.0 for Jira Service Management Cloud; and Assets Discovery versions before 6.2.0 for both Jira Service Management Server and Jira Service Management Data Center. 

  • CVE-2023-22524: A vulnerability in the Atlassian Companion App for MacOS that could allow an attacker to perform RCE. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.6 out of 10 affecting Confluence Server and Data Center for macOS versions before 2.0.0.

  • CVE-2022-1471: A vulnerability in multiple versions of Jira, Bitbucket and Confluence products due to a deserialisation flaw in the SnakeYAML library that could allow an attacker to perform RCE. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10 affecting Jira, Bitbucket and Confluence products using SnakeYAML library versions before 2.0.0. The complete list can be viewed 

    here

    .

Users and administrators of the affected products versions are advised to update to the latest versions immediately.

 More information is available here:

https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html

https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-rce-flaws-across-multiple-products/


Back to top