Atlassian Releases March 2024 Security Bulletin

Atlassian security updates address multiple vulnerabilities including one critical severity vulnerability affecting Bamboo Data Center and Server

Threat ID:: CC-4469
Threat Severity:: Medium
Published:: 20 March 2024 3:23 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Atlassian security updates address multiple vulnerabilities including one critical severity vulnerability affecting Bamboo Data Center and Server

Affected platforms

The following platforms are known to be affected:

Atlassian Confluence Data Center

8.8.0
8.7.0 to 8.7.2
8.6.0 to 8.6.2
8.5.0 to 8.5.6 (LTS)
8.4.0 to 8.4.5
8.3.0 to 8.3.4
8.2.0 to 8.2.3
8.1.0 to 8.1.4
8.0.0 to 8.0.4
7.20.0 to 7.20.3
7.19.0 (LTS) to 7.19.19 (LTS)
7.18.0 to 7.18.3
7.17.0 to 7.17.5
Any earlier version

Atlassian Confluence Server

8.8.0
8.7.0 to 8.7.2
8.6.0 to 8.6.2
8.5.0 to 8.5.6 (LTS)
8.4.0 to 8.4.5
8.3.0 to 8.3.4
8.2.0 to 8.2.3
8.1.0 to 8.1.4
8.0.0 to 8.0.4
7.20.0 to 7.20.3
7.19.0 (LTS) to 7.19.19 (LTS)
7.18.0 to 7.18.3
7.17.0 to 7.17.5
Any earlier version

Atlassian Bitbucket Server

8.18.0
8.17.0 to 8.17.1
8.16.0 to 8.16.2
8.15.0 to 8.15.3
8.14.0 to 8.14.4
8.13.0 to 8.13.5
8.12.0 to 8.12.3
8.11.0 to 8.11.1
8.10.0 to 8.10.1
8.9.0 to 8.9.9 (LTS)
Any earlier versions (except 7.21.22)

Atlassian Bitbucket Data Center

8.18.0
8.17.0 to 8.17.1
8.16.0 to 8.16.2
8.15.0 to 8.15.3
8.14.0 to 8.14.4
8.13.0 to 8.13.5
8.12.0 to 8.12.3
8.11.0 to 8.11.1
8.10.0 to 8.10.1
8.9.0 to 8.9.9 (LTS)
Any earlier versions (except 7.21.22)

Atlassian Bamboo Data Center

9.5.0 to 9.5.1
9.4.0 to 9.4.3
9.3.0 to 9.3.6
9.2.0 to 9.2.11 (LTS)
9.1.0 to 9.1.3
9.0.0 to 9.0.4
8.2.0 to 8.2.9
Any earlier versions

Atlassian Bamboo Server

9.5.0 to 9.5.1
9.4.0 to 9.4.3
9.3.0 to 9.3.6
9.2.0 to 9.2.11 (LTS)
9.1.0 to 9.1.3
9.0.0 to 9.0.4
8.2.0 to 8.2.9
Any earlier versions

Atlassian Jira Server

9.12.0 to 9.12.2 LTS
9.11.0 to 9.11.3
9.10.0 to 9.10.2
9.9.0 to 9.9.2
9.8.0 to 9.8.2
9.7.0 to 9.7.2
9.6.0
9.5.0 to 9.5.1
9.4.0 to 9.4.17 LTS
9.3.0 to 9.3.3
9.2.0 to 9.2.1
9.1.0 to 9.1.1
9.0.0
Any earlier versions

Atlassian Jira Data Center

9.12.0 to 9.12.2 LTS
9.11.0 to 9.11.3
9.10.0 to 9.10.2
9.9.0 to 9.9.2
9.8.0 to 9.8.2
9.7.0 to 9.7.2
9.6.0
9.5.0 to 9.5.1
9.4.0 to 9.4.17 LTS
9.3.0 to 9.3.3
9.2.0 to 9.2.1
9.1.0 to 9.1.1
9.0.0
Any earlier versions

Threat details

Introduction

The Atlassian March 2024 Security Bulletin addresses one critical severity vulnerability in Bamboo Data Center and Server, along with 24 high severity vulnerabilities in Bamboo, Bitbucket, Confluence and Jira Data Centers and Servers.

The critical severity vulnerability has been assigned CVE-2024-1597, and could allow an unauthenticated attacker to expose data stored on an affected server. Other vulnerabilities could allow denial-of-service, remote code execution or information exposure on an affected system.

Remediation advice

Affected organisations are encouraged to review the Atlassian March 2024 Security Bulletin and apply the relevant updates.

Definitive source of threat updates

https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html

CVE Vulnerabilities

Status Published

CVE-2024-1597

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Last edited: 20 March 2024 3:23 pm