Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.
The list of vulnerabilities is below –
Atlassian described CVE-2023-22522 as a template injection flaw that allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page, resulting in code execution.
The Assets Discovery flaw allows an attacker to perform privileged remote code execution on machines with the Assets Discovery agent installed, whereas CVE-2023-22524 could permit an attacker to achieve code execution by utilizing WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections.
The advisory comes nearly a month after the Australian software company revealed all versions of its Bamboo Data Center and Server products are impacted by an actively exploited critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). Fixes have been released in versions 9.2.7, 9.3.5, and 9.4.1 or later.
With Atlassian products becoming lucrative attack vectors in recent years, it’s highly recommended that users move quickly to update affected installations to a patched version.