Security Advisory

March 2024 Security Update Advisory for Atlassian Products

  • Mar 06 2024

Overview

 

An update has been made available to address a vulnerability in the Atlassian suite of products. users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2022-26133

  • All 5.x versions of Bitbucket Data Center 5.14.x and at least 5.14.x
  • All 6.x versions of Bitbucket Data Center
  • All 7.x versions of Bitbucket Data Center prior to 7.6.14
  • All versions of Bitbucket Data Center 7.7.x and up to at least 7.16.x or below
  • Any 7.17.x version prior to Bitbucket Data Center 7.17.6
  • Any version of 7.18.x prior to Bitbucket Data Center 7.18.4
  • Bitbucket Data Center Any version of 7.19.x prior to 7.19.4
  • Bitbucket Data Center 7.20.0

 

CVE-2016-10750

  • Confluence Data Center 5.6.x and all versions at least 5.6.x (with clustering enabled)

 

CVE-2021-26077

  • Atlassian Connect Spring Boot versions 1.1.0 or later and 2.1.2 or below
  • Atlassian Connect Spring Boot version 2.1.4 or later

 

CVE-2018-11233 (fsckObjects option amplified in a Bitbucket server repository running on Windows)

  • Bitbucket Server Git version 2.17.1
  • Bitbucket Server Git version 2.16.4
  • Bitbucket Server Git version 2.15.2
  • Bitbucket Server Git version 2.14.4
  • Bitbucket Server Git 2.13.7 

 

CVE 2018-11233 (on Bamboo repositories running on Windows or when the fsckObjects option is enabled globally), CVE-2018-11235

  • Bamboo Git version 2.17.1
  • Bamboo Git 2.16.4
  • Bamboo Git 2.15.2
  • Bamboo Git 2.14.4
  • Bamboo Git 2.13.7 

 

CVE-2023-22514

  • Sourcetree for Mac and Sourcetree for Windows version 3.4.14

 

CVE-2021-26073

  • Atlassian Connect Express versions 3.0.2 or later and at least 6.5.0 or below

 

CVE-2022-3509

  • Jira Service Management Data Center and Server 4.20.0 , 4.20.1 , 4.20.2 , 4.20.3 , 4.20.4 , 4.20.5 , 4.20.6 , 4.20.7 , 4.20.8 , 4.20.9 , 4.20.10 , 4.20.11 , 4.20.12 , 4.20.13 , 4.20.14 , 5.4.0 , 4.20.15 , 5.4.1 , 4.20.16 , 5.5.1 , 4.20.17 , 5.4.2 , 5.6.0 , 5.4.3 , 4.20 .18 , 5.7.0 , 4.20.19 , 5.4.4 , 5.8.0 , 4.20.20 , 4.20.21 , 5.4.5 , 4.20.22 , 5.4.6 , 5.9.0 , 4.20.23 , 5.4.7 , 4.20.24 , 5.4.8, 5.10.0 , 4.20.25 , 5.4.9 , 5.4.10 , 4.20.26 Version

 

CVE-2023-22516

  • Bamboo Data Center and Server 8.1.1, 8.1.2, 8.2.0, 8.1.3, 8.1.4, 8.2.1, 8.2.1, 8.1.5, 8.2.2, 8.1.6, 9.0.0, 8.1.7, 8.2.3, 8.2.4, 8.1.9, 8.2.5, 8.2.6, 8.1.10, 9.0.1, 9.1.0, 8.1.11, 8.2.7, 9.0.2, 9.3.0, 9.1.1, 9.2.1, 9.1.2, 8.2.8, 9.0.3, 8.1.12, 9.2.3, 9.1.3, 8.2.9, 9.3.1, 9.2.4, 9.3.2, 9.2.5, 9.3.3, 9.2.6, 8.1.0 versions

 

CVE-2023-22521

  • Crowd Data Center and Server 3.4.6, 5.2.0 versions

 

CVE-2022-41704

  • Confluence Data Center and Server 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13.10, 7.13.11, 7.13.12, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.13.13, 7.19.6, 7.13.14, 7.13.15, 7.13.16, 7.13.17, 7.13.18, 7.13.19, 7.19.7, 7.19.8, 7.19.9, 7.19.10, 7.19.11, 7.13.20, 7.19.12, 7.19.14, 7.19.15 Versions

 

CVE-2017-7656

  • Jira Software Data Center and Server 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.10.1 versions

 

CVE-2019-20903

  • versions of atlaskit/editor-core prior to 113.1.5 (when using the hyperlink feature)

 

CVE-2021-26074

  • Atlassian Connect Spring Boot from 1.1.0(include) to 2.1.2(include)

 

CVE-2022-28366

  • Confluence Data Center and Server 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13. 10, 7.13.11, 7.13.12, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 8.1.0, 8.2.0, 8.3.0, 8.5.0, 7.13.13, 7.19.6, 7.13.14, 8.1.1, 7.13.15, 7.13.16, 7.13.17, 7.13.18, 7.13.19, 7.19.7, 7.19.8, 7.19.9, 7.19.10, 7.19.11, 8.1.3, 8.2.1, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 7.13.20, 7.19.12, 8.5.1, 7.19.14, 8.5.2, 7.19.15, 7.19.16, 8.3.3, 8.5.3, 8.3.4

 

CVE-2021-22569

  • Jira Service Management Data Center and Server 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.20.4, 4.20.5, 4.20.6, 4.20.7, 4.20.8, 4.20.9, 4.20.10, 4.20.11, 4.20.12, 4.20.13, 4.20.14, 5.4.0, 4.20.15, 5.4.1, 4.20.16, 5.5.1, 4.20.17, 5.4.2, 5.6.0, 5.4.3, 4.20.18, 5.7.0, 4.20.19, 5.4.4, 5.8.0, 4.20.20, 4.20.21, 5.4.5, 4.20.22, 5.4.6, 5.9.0, 4.20.23, 5.4.7, 4.20.24, 5.4.8, 5.10.0, 4.20.25, 5.4.9, 5.4.10, 4.20.26

 

Resolved Vulnerabilities

 

Remote code execution vulnerability via Java deserialization in the cluster join procedure in Hazelcast (CVE-2016-10750)

Arbitrary code execution vulnerability via Java deserialization in Atlassian Bitbucket Data Center (CVE-2022-26133)

Compromised authentication vulnerability in Atlassian Connect Spring Boot (CVE-2021-26077)

Arbitrary code execution vulnerability via git submodule names (CVE-2018-11235)

Out-of-bounds memory read vulnerability due to code checking pathname integrity in NTFS (CVE-2018-11233)

Remote code execution vulnerability in Sourcetree for Mac and Sourcetree for Windows (CVE-2024-21680)

Compromised authentication vulnerability in Atlassian Connect Express (CVE-2021-26073)

Denial of service attack vulnerability due to a parsing issue using text format in protobuf-java core and lite versions (CVE-2022-3509)

Remote code execution vulnerability in Bamboo Data Center and Server (CVE-2023-22516)

Remote code execution vulnerability in Crowd Data Center and Server (CVE-2023-22521)

SSRF Vulnerability in Confluence Data Center and Server (CVE-2022-41704)

Cache Poisoning Vulnerability in Jira Software Data Center and Server (CVE-2017-7656)

XSS vulnerability in atlaskit/editor-core (CVE-2019-20903)

Compromised authentication vulnerability in Atlassian Connect Spring Boot (CVE-2021-26074)

DoS vulnerability in Confluence Data Center and Server (CVE-2022-28366)

Denial of Service Vulnerability due to an issue in protobuf-java in Jira Service Management Data Center and Server that allowed interleaving of com.google.protobuf.UnknownFieldSet fields out of order (CVE-2021-22569)

Vulnerability Patches

 

vulnerability Patches have been made available through updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2022-26133

  • Bitbucket Data Center versions 7.6.14, 7.17.6, 7.18.4, 7.19.4, 7.20.1, 7.21.0

 

CVE-2016-10750

  • Confluence Data Center 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 versions

 

CVE-2021-26077

  • Atlassian Connect Spring Boot version 2.1.3, 2.1.5, or at least newer

 

CVE 2018-11233 (in Bamboo repositories running on Windows or when the fsckObjects option is enabled globally), CVE-2018-11235

  • Bamboo version 6.6.0 or at least

 

CVE-2023-22514

  • Sourcetree for Mac and Sourcetree for Windows versions 3.4.15

 

CVE-2021-26073

  • Atlassian Connect Express version 6.6.0 or later

 

CVE-2022-3509

  • Jira Service Management Data Center and Server releases of at least 4.20.27
  • Jira Service Management Data Center and Server 5.4.11 and later releases at least

 

CVE-2023-22516

  • Bamboo Data Center and Server versions 9.3.4, 9.2.7

 

CVE-2023-22521

  • Crowd Data Center and Server 5.1.6, 5.2.1 versions

 

CVE-2022-41704

  • Confluence Data Center and Server version 7.19.16

 

CVE-2017-7656

  • Jira Software Data Center and Server versions 9.12.0, 9.11.1, 9.10.2, and 9.4.14

 

CVE-2019-20903

  • atlaskit/editor-core version 113.1.5

 

CVE-2021-26074

  • Atlassian Connect Spring Boot version 2.1.3

 

CVE-2022-28366

  • Confluence Data Center and Server 8.6.0, 8.5.4, and 7.19.17 versions

 

CVE-2021-22569

  • Jira Service Management Data Center and Server versions 4.20.27, 5.4.11, and 5.4.11

 

Referenced Sites

 

[1] Multiple Products Security Advisory – Hazelcast Vulnerable To Remote Code Execution – CVE-2016-10750, CVE-2022-26133
https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html

[2] CVE-2021-26077 – Broken authentication in Atlassian Connect Spring Boot (ACSB)

https://confluence.atlassian.com/security/cve-2021-26077-broken-authentication-in-atlassian-connect-spring-boot-acsb-1063555147.html

[3] Atlassian Products & Services and CVE-2018-11235 & CVE-2018-11233

https://confluence.atlassian.com/security/atlassian-products-services-and-cve-2018-11235-cve-2018-11233-951406113.html

[4] Atlassian Products & Services and CVE-2018-11235 & CVE-2018-11233

https://confluence.atlassian.com/security/atlassian-products-services-and-cve-2018-11235-cve-2018-11233-951406113.html

[5] Remote Code Execution (RCE) in Sourcetree for Mac and Sourcetree for Windows

https://jira.atlassian.com/browse/SRCTREE-8076

[6] CVE-2021-26073 – Broken authentication in Atlassian Connect Express (ACE)

https://confluence.atlassian.com/security/cve-2021-26073-broken-authentication-in-atlassian-connect-express-ace-1051986099.html

[7] com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server

https://jira.atlassian.com/browse/JSDSERVER-14755?jql=text%20~%20%22CVE-2022-3509%22

[8] Remote Code Execution (RCE) in Bamboo Data Center and Server

https://jira.atlassian.com/browse/BAM-25168

[9] RCE (Remote Code Execution) in Crowd Data Center and Server

https://jira.atlassian.com/browse/CWD-6139

[10] SSRF org.apache.xmlgraphics in Confluence Data Center and Server

https://jira.atlassian.com/browse/CONFSERVER-93179

[11] Cache Poisoning org.eclipse.jetty:jetty-server in Jira Software Data Center and Server

https://jira.atlassian.com/browse/JSWSERVER-22148

[12] CVE-2019-20903 – XSS in atlaskit/editor-core

https://confluence.atlassian.com/security/cve-2019-20903-xss-in-atlaskit-editor-core-1021244735.html

[13] CVE-2021-26074 – Broken authentication in Atlassian Connect Spring Boot (ACSB)

https://confluence.atlassian.com/security/cve-2021-26074-broken-authentication-in-atlassian-connect-spring-boot-acsb-1051986106.html

[14] Denial of Service (DoS) net.sourceforge.nekohtml:nekohtml in Confluence Data Center and Server

https://jira.atlassian.com/browse/CONFSERVER-93169

[15] com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server
https://jira.atlassian.com/browse/JSDSERVER-14753

Tags:

Previous Post

Next Post