Skip to main content

Atlassian Releases December 2023 Security Bulletin

Atlassian security updates address four critical severity vulnerabilities affecting multiple products

Threat ID:
CC-4418
Threat Severity:
Medium
Published:
8 December 2023 12:56 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Atlassian security updates address four critical severity vulnerabilities affecting multiple products

Threat details

Introduction

Atlassian has released the December 2023 Security Bulletin that addresses four critical severity vulnerabilities in multiple products. All of the vulnerabilities mentioned are Remote Code Execution (RCE) vulnerabilities.

Vulnerability details

  • CVE-2023-22522 - Remote Code Execution (RCE)

This is a critical template injection vulnerability (CVSS score of 9.0), which could allow an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page.

  • CVE-2023-22523 - Remote Code Execution (RCE)

This is a critical RCE vulnerability (CVSS score of 9.8), if exploited, it could allow an attacker to perform privileged RCE (Remote Code Execution) on targeted systems with Assets Discovery agent installed. The vulnerability affects Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.

  • CVE-2023-22524 - Remote Code Execution (RCE)

This is a critical RCE vulnerability (CVSS score of 9.6), affecting specific versions of Atlassian Companion App for MacOS. This vulnerability could be exploited by an attacker utilising WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper allowing code execution.

  • CVE-2022-1471 - Remote Code Execution (RCE)

This is a critical RCE vulnerability (CVSS score of 9.8) affecting SnakeYaml's Constructor() class. Deserializing yaml content provided by an attacker could allow the attacker to perform remote code execution. 

Remediation advice

Affected organisations are encouraged to review the Atlassian December 2023: Atlassian Security Bulletin and apply the relevant updates.

CVE Vulnerabilities

Status Published

CVE-2023-22522

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Publicly accessible Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See the advisory for additional details Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Status Published

CVE-2023-22523

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.
Status Published

CVE-2023-22524

Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companion's blocklist and MacOS Gatekeeper to allow execution of code.
Status Published

CVE-2022-1471

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Last edited: 8 December 2023 12:56 pm