On 6 December 2023, Atlassian disclosed four critical remote code execution vulnerabilities impacting several products, including the popular Jira and Confluence.
The vulnerabilities are as follows:
CVE-2022-1471 (CVSS score: 9.8): a deserialization vulnerability in the SnakeYAML library that may lead to remote code execution in multiple products. Affected products include the Automation for Jira (A4J) app (including Server Lite edition), Bitbucket Data Center and Server, Confluence Data Center and Server, Confluence Cloud Migration App (CCMA), Jira Core Data Center and Server, Jira Service Management Data Center and Server, Jira Software Data Center and Server.
CVE-2023-22522 (CVSS score: 9.0): Confluence Data Center and Confluence Server are susceptible to a remote code execution vulnerability, affecting all versions from 4.0.0 onwards. This flaw enables an authenticated attacker, including those with anonymous access, to introduce potentially harmful user input into a Confluence page, leading to the execution of code.
CVE-2023-22523 (CVSS score: 9.8): Assets Discovery for Jira Service Management Cloud, Server, and Data Center is vulnerable to remote code execution, impacting all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server. This vulnerability may enable a privileged remote code execution on machines with the Assets Discovery agent installed.
CVE-2023-22524 (CVSS score: 9.6): The Atlassian Companion app for macOS has a remote code execution vulnerability, affecting all versions up to but not including 2.0.0. A potential attacker may bypass Atlassian Companion's blocklist and macOS Gatekeeper protections, achieving code execution ability via WebSockets.
Recommended remediation measures include upgrading Confluence Data Center, Confluence Server, Assets Discovery, and Atlassian Companion to versions that include necessary security patches.