杭州江阴科强工业胶带有限公司

{"id":164743,"date":"2024-06-20T18:22:21","date_gmt":"2024-06-20T18:22:21","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164743"},"modified":"2024-06-20T18:23:09","modified_gmt":"2024-06-20T18:23:09","slug":"atlassian-confluence-crucible-jira-flaws","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164743\/security\/atlassian-confluence-crucible-jira-flaws.html","title":{"rendered":"Atlassian fixed six high-severity bugs in Confluence Data Center and Server"},"content":{"rendered":"

<\/div>\n

Australian software company Atlassian addressed multiple high-severity vulnerabilities in its Confluence, Crucible, and Jira solutions.<\/h2>\n\n\n\n
Atlassian June 2024 Security Bulletin<\/a> addressed nine high-severity vulnerabilities in Confluence, Crucible, and Jira products.<\/p>\n\n\n\n
The most severe issue addressed by the company is an improper authorization org.springframework.security:spring-security-core dependency in Confluence Data Center and Server. The flaw tracked as CVE-2024-22257<\/a> received a CVSS score of 8.2.<\/p>\n\n\n\n
The Confluence Data Center and Server update resolved other five SSRF (Server-Side Request Forgery) and DoS vulnerabilities. Below is the list of the addressed flaws:<\/p>\n\n\n\n
Released Security Vulnerabilities<\/th><\/tr>
Product & Release Notes<\/th> Affected Versions<\/th> Fixed Version<\/th> Vulnerability Summary<\/th> CVE ID<\/th> CVSS Severity<\/th><\/tr>
Confluence Data Center and Server<\/a><\/td> 8.9.0 to 8.9.28.8.0 to 8.8.18.7.1 to 8.7.28.6.0 to 8.6.28.5.0 to 8.5.10 (LTS)8.4.0 to 8.4.58.3.0 to 8.3.48.2.0 to 8.2.38.1.0 to 8.1.48.0.0 to 8.0.47.20.0 to 7.20.37.19.0 to 7.19.23 (LTS)<\/td> 8.9.3 Data Center Only<\/strong>8.5.11 (LTS) recommended7.19.24 (LTS)<\/td> Improper Authorization org.springframework.security:spring-security-core Dependency in Confluence Data Center and Server<\/a><\/td> CVE-2024-22257<\/a><\/td> 8.2 High<\/td><\/tr>
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server<\/a><\/td> CVE-2024-22243<\/a><\/td> 8.1 High<\/gwmw><\/td><\/tr>
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server<\/a><\/td> CVE-2024-22262<\/a><\/td> 8.1 High<\/td><\/tr>
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server<\/a><\/td> CVE-2024-22259<\/a><\/td> 8.1 High<\/td><\/tr>
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server<\/a><\/td> CVE-2024-29133<\/a><\/td> 7.5 High<\/td><\/tr>
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server<\/a><\/td> CVE-2024-29131<\/a><\/td> 7.5 High<\/td><\/tr>
<\/td><\/tr><\/tbody><\/table>
<\/gwmw><\/figcaption><\/figure>\n\n\n\n
Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS) addressed these vulnerabilities.<\/p>\n\n\n\n
Atlassian also fixed a DoS vulnerability, tracked as CVE-2022-25647<\/a>, in the Fisheye\/Crucible with the release of version 4.8.15.<\/gwmw><\/p>\n\n\n\n
The software firm also fixed the following vulnerabilities in the Jira Data Center and Server:<\/p>\n\n\n\n
Jira Data Center and Server<\/a><\/td> 9.12.0 to 9.12.7 (LTS)9.4.0 to 9.4.20 (LTS)<\/td> 9.16.0 to 9.16.1 Data Center Only<\/strong>9.12.8 to 9.12.10 (LTS) recommended9.4.21 to 9.4.23 (LTS)<\/td> Information Disclosure in Jira Core Data Center<\/a><\/td> CVE-2024-21685<\/a><\/td> 7.4 High<\/td><\/tr>
Jira Service Management Data Center and Server<\/a><\/td> 5.15.25.12.0 to 5.12.7 (LTS)5.4.0 to 5.4.20 (LTS)<\/td> 5.16.0 to 5.16.1 Data Center Only<\/strong>5.12.8 to 5.12.10 (LTS) recommended5.4.21 to 5.4.23 (LTS)<\/td> Information Disclosure in Jira Service Management Data Center and Server<\/a><\/td> CVE-2024-21685<\/a><\/td> 7.4 High<\/td><\/tr><\/tbody><\/table>
<\/gwmw><\/figcaption><\/figure>\n\n\n\n
The company is not aware of attacks in the wild exploiting the vulnerabilities fixed in the June 2024\u00a0Security Bulletin<\/a>.<\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a> \u2013<\/strong> hacking, China)<\/strong><\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"
Australian software company Atlassian addressed multiple high-severity vulnerabilities in its Confluence, Crucible, and Jira solutions. Atlassian June 2024 Security Bulletin addressed nine high-severity vulnerabilities in Confluence, Crucible, and Jira products. The most severe issue addressed by the company is an improper authorization org.springframework.security:spring-security-core dependency in Confluence Data Center and Server. The flaw tracked as CVE-2024-22257 […]<\/p>\n","protected":false},"author":1,"featured_media":121555,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,55],"tags":[6596,12250,4112,9508,9506,10918,687,841,1533],"class_list":["post-164743","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-security","tag-atlassian","tag-atlassian-confluence","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司