Atlassian fixed critical flaws in Confluence and Crowd

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira.

Software firm Atlassian released security patches to address 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira products.

The most severe vulnerabilities addressed by the company are:

CVE-2024-50379 – (CVSS score of 9.8) – RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server in Confluence Data Center. The flaw is a TOCTOU race condition in Apache Tomcat that allows RCE on case-insensitive file systems with a non-default write-enabled servlet. Update to 11.0.2, 10.1.34, or 9.0.98.

CVE-2024-56337 – (CVSS score of 9.8) – RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server. The flaw is an Apache Tomcat’s TOCTOU vulnerability, caused by incomplete mitigation for CVE-2024-50379. The vulnerability requires extra config on case-insensitive file systems. Fix in 11.0.3, 10.1.35, 9.0.99.

CVE-2024-52316 – (CVSS score of 9.8) – BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server. An unchecked error in Apache Tomcat’s Jakarta Authentication may allow auth bypass if a custom ServerAuthContext fails without setting an HTTP status. Affects versions 9.0.0-M1–9.0.95, 10.1.0-M1–10.1.30, 11.0.0-M1–11.0.0-M26. Upgrade to 9.0.96, 10.1.31, or 11.0.0.

CVE-2024-50379 – (CVSS score of 9.8) – A TOCTOU race condition in Apache Tomcat allows RCE on case-insensitive file systems. Affects versions 9.0.0.M1-9.0.97, 10.1.0-M1-10.1.33, 11.0.0-M1-11.0.1. Upgrade to 9.0.98, 10.1.34, or 11.0.2.

CVE-2024-56337 – (CVSS score of 9.8) – Apache Tomcat’s TOCTOU race condition (CVE-2024-50379) fix was incomplete. Affects versions 9.0.0-M1–9.0.97, 10.1.0-M1–10.1.33, 11.0.0-M1–11.0.1. Users on case-insensitive file systems with write-enabled default servlet need additional Java-specific mitigations. Fixed in Tomcat 9.0.99, 10.1.35, and 11.0.3.

The company did not disclose whether these flaws have been exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 1 year ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 1 year ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 1 year ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 1 year ago

LATEST POSTS
Article thumbnail image
Crypto exchange Bybit was the victim of a sophisticated attack, and threat act
Apple removed iCloud’s Advanced Data Protection in the UK after the governmen
Experts warn that the carding website B1ack’s Stash released a collection o
Article thumbnail image
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Craft CMS and