Home > Security Bulletins > Atlassian Confluence Remote Code Execution Vulnerability – CVE-2023-22527 (en meer)

Atlassian Confluence Remote Code Execution Vulnerability – CVE-2023-22527 (en meer)

17 Januari 2024 (aangepast: 22 Januari 2024)

Introductie

Atlassian heeft een beveiligingsadvies over een kwetsbaarheid voor remote code execution in het Atlassian Confluence Data Center en Server.

CVE-2023-22527 (CVSS 3.1: 10.0 [KRITIEK]) wordt in eerste instantie veroorzaakt door een template injection vulnerability die kan worden geëscaleerd naar uitvoering van externe code.

Er zijn software-updates met beveiligingspatches voor dit beveiligingslek uitgebracht, die hieronder worden beschreven. Atlassian Cloud wordt niet getroffen door dit beveiligingslek.

Bovendien heeft Atlassian hun security bulletin van januari 2024 gepubliceerd waarin 28 high-severity kwetsbaarheden voorkomen, die gefixt zijn in de laatste versies van hun producten, zoals gedetailleerd aan het einde van deze post.

Betrokken Versies

Confluence Data Center en Server:

  • 8.0.x
  • 8.1.x
  • 8.2.x
  • 8.3.x
  • 8.4.x
  • 8.5.0-8.5.3

Versie 7.19.x LTS wordt niet beïnvloed.

Aanbevelingen

Atlassian raadt aan om verouderde versies onmiddellijk te patchen door de nieuwste versie te installeren.

Confluence Data Center en Server

  • Patch uitgebracht: 8.5.4 (LTS)
  • Nieuwste versie: 8.5.5 (LTS)

Confluence Data Center

  • Patch uitgebracht: 8.6.0 (alleen Data Center)
  • Nieuwste versie: 8.7.12 (alleen Data Center)

Meer kwetsbaarheden

CVE-2022-42252 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server
CVE-2020-25649 (CVSS:3.1: 7.5 – High) – XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server
CVE-2022-44729 (CVSS:3.1: 7.1 – High) – SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server
CVE-2021-40690 (CVSS:3.1: 7.5 – High) – Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server
CVE-2023-46589 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server
CVE-2023-3635 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server
CVE-2023-22526 (CVSS:3.1: 7.2 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2024-21672 (CVSS:3.1: 8.3 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2024-21673 (CVSS:3.1: 8.0 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2024-21674 (CVSS:3.1: 8.6 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2023-43642 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-6481 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
CVE-2023-6378 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
CVE-2023-46589 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server
CVE-2023-34455 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-34454 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-34453 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-36478 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server
CVE-2023-5072 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
CVE-2023-36478 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server
CVE-2023-39410 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server
CVE-2020-26217 (CVSS:3.1: 8.8 – High) – RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
CVE-2017-7957 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
CVE-2022-4244 (CVSS:3.1: 7.5 – High) – Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server
CVE-2018-10054 (CVSS:3.1: 8.8 – High) – RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server
CVE-2023-5072 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server
CVE-2023-46589 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server
CVE-2022-40152 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and Server