Atlassian Releases July 2023 Security Bulletin

Atlassian security updates address three high severity vulnerabilities affecting multiple products.

Threat ID:: CC-4361
Threat Severity:: Medium
Published:: 24 July 2023 4:37 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Atlassian security updates address three high severity vulnerabilities affecting multiple products.

Affected platforms

The following platforms are known to be affected:

Versions: 7.4.x to 8.x before 8.2.0

Atlassian Confluence Data Center

Versions: 7.4.x to 8.x before 8.2.0

Atlassian Confluence Server

Versions: 8.x, 9.2.x before 9.2.3, 9.3.x before 9.3.1

Atlassian Bamboo Data Center

Versions: 8.x, 9.2.x before 9.2.3, 9.3.x before 9.3.1

Atlassian Bamboo Server

Threat details

Introduction

Atlassian has released the July 2023 Security Bulletin that addresses three high severity vulnerabilities in multiple products. CVE-2023-22505 and CVE-2023-22508 are Remote Code Execution (RCE) vulnerabilities affecting Confluence Server and Confluence Data Center. CVE-2023-22506 is an injection and RCE vulnerability affecting Bamboo Server and Bamboo Data Center.

Remediation advice

Affected organisations are encouraged to review the Atlassian July 2023: Atlassian Security Bulletin and apply the relevant updates.

Definitive source of threat updates

https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html

CVE Vulnerabilities

Status Published

CVE-2023-22505

This High severity RCE (Remote Code Execution) vulnerability known as CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.

Status Published

CVE-2023-22508

This High severity RCE (Remote Code Execution) vulnerability known as CVE-2023-22508 was introduced in version 7.4.0 of Confluence Data Center & Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.

Status Published

CVE-2023-22506

This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center. This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.

Last edited: 24 July 2023 4:37 pm