Atlassian publikuje poprawki do swoich produktów 05/24 (P24-176)

utworzone przez | maj 23, 2024 | Aktualizacje, Podatności

21 maja 2024 r. firma Atlassian opublikowała porady dotyczące bezpieczeństwa dotyczące luk w zabezpieczeniach następujących produktów:

• Bamboo Data Center – wiele wersji

• Bamboo Server – wiele wersji

• Bitbucket Data Center – wiele wersji

• Serwer Bitbucket – wiele wersji

• Confluence Data Center – wiele wersji

• Serwer Confluence – wiele wersji

• Crowd Data Center – wiele wersji

• Crowd Server – wiele wersji

• Jira Service Management Data Center – wiele wersji

• Jira Service Management Server – wiele wersji

• Jira Software Data Center – wiele wersji

• Jira Software Server – wiele wersji

Luki opisane w tym Biuletynie Bezpieczeństwa obejmują 35 luk o wysokim poziomie ważności i 2 luki o krytycznym znaczeniu, które zostały naprawione w nowych wersjach naszych produktów, wydanych w zeszłym miesiącu.

ProduktWersja podatnaPatchOpis/LinkCVE IDCVSS 
Bamboo Data Center and Server9.5.0 do 9.5.1 9.4.0 do 9.4.4 9.3.0 do 9.3.6 9.2.1 do 9.2.13 (LTS) 9.1.0 do 9.1.3 9.0.0 do 9.0.49.6.0 LTS  Tylko centrum danych rekomendacja 9.5.2 to 9.5.4 Tylko centrum danych 9.2.14 (LTS)RCE (Remote Code Execution) org.eclipse.jgit:org.eclipse.jgit Dependency in Bamboo Data Center and ServerCVE-2023-47598.8 
Bitbucket Data Center and Server8.19.0 do 8.19.2 (LTS) 8.18.0 do 8.18.1 8.17.0 do 8.17.2 8.16.0 do 8.16.4 8.15.0 do 8.15.5 8.14.0 do 8.14.6 8.13.0 do 8.13.6 8.12.0 do 8.12.6 8.11.0 do 8.11.6 8.10.0 do 8.10.6 8.9.0 do 8.9.13 (LTS) 8.8.0 do 8.8.7 8.7.0 do 8.7.5 8.6.0 do 8.6.4 8.5.0 do 8.5.4 8.4.0 do 8.4.4 8.3.0 do 8.3.4 8.2.0 do 8.2.4 8.1.0 do 8.1.5 8.0.1 do 8.0.58.19.3 (LTS) rekomendacja Tylko centrum danych 8.9.14 (LTS)Improper Authorization org.springframework.security:spring-security-core Dependency in Bitbucket Data Center and ServerCVE-2024-222578.2 
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bitbucket Data Center and ServerCVE-2024-222628.1 
Confluence Data Center and Server8.9.0 8.8.0 do 8.8.1 8.7.1 do 8.7.2 8.6.0 do 8.6.2 8.5.0 do 8.5.8 (LTS) 8.4.0 do 8.4.5 8.3.0 do 8.3.4 8.2.0 do 8.2.3 8.1.0 do 8.1.4 8.0.0 do 8.0.4 7.20.0 do 7.20.3 7.19.0 do 7.19.21 (LTS)8.9.1 Tylko centrum danych 8.5.9 (LTS) rekomendacja 7.19.22 (LTS)SQLi (SQL Injection) org.postgresql:postgresql Dependency in Confluence Data Center and Server NOTE: CVE-2024-1597 is a critical vulnerability in a non-Atlassian Confluence dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. CVE-2024-15979.8 
RCE (Remote Code Execution) in Confluence Data Center and ServerCVE-2024-216838.3 
Improper Authorization com.hazelcast:hazelcast Dependency in Confluence Data Center and ServerCVE-2023-458597.6 
DoS (Denial of Service) org.apache.tomcat:tomcat-websocket Dependency in Confluence Data Center and ServerCVE-2024-236727.5 
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Confluence Data Center and ServerCVE-2024-245497.5 
Crowd Data Center and Server5.2.0 do 5.2.4 5.1.0 do 5.1.9 5.0.1 do 5.0.115.3.0 to 5.3.1 rekomendacja Tylko centrum danychInjection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-111138.8 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-111128.8 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-111118.8 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-109698.8 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-109688.8 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-106738.8 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-106728.8 
Improper Authorization org.springframework.security:spring-security-core Dependency in Crowd Data Center and ServerCVE-2024-222578.2 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361808.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361848.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361888.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361818.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361828.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-246168.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-357288.1 
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2020-361798.1 
Security Misconfiguration org.eclipse.jetty:jetty-server Dependency in Crowd Data Center and ServerCVE-2017-76567.5 
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and ServerCVE-2023-343967.5 
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and ServerCVE-2023-418357.5 
Information Disclosure org.eclipse.jetty:jetty-util Dependency in Crowd Data Center and ServerCVE-2017-97357.5 
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2022-420037.5 
DoS (Denial of Service) org.eclipse.jetty:jetty-io Dependency in Crowd Data Center and ServerCVE-2021-281657.5 
Jira Data Center and Server9.14.0 do 9.14.1 9.13.0 do 9.13.1 9.12.0 do 9.12.6 (LTS) 9.11.0 do 9.11.3 9.10.0 do 9.10.2 9.9.0 do 9.9.2 9.8.0 do 9.8.2 9.7.0 do 9.7.2 9.6.0 9.5.0 do 9.5.1 9.4.0 do 9.4.19 (LTS) 9.3.0 do 9.3.3 9.2.0 do 9.2.1 9.1.0 do 9.1.1 9.0.09.15.2 Tylko centrum danych 9.12.7 do 9.12.8 (LTS) rekomendacja 9.4.20 do 9.4.21 (LTS)SQLi (SQL Injection) org.postgresql:postgresql Dependency in Jira Software Data Center and ServerCVE-2024-15979.8 
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and ServerCVE-2024-222578.2 
DoS (Denial of Service) com.google.code.gson:gson Dependency in Jira Software Data Center and ServerCVE-2022-256477.5 
DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Software Data Center and ServerCVE-2022-419667.5 
DoS (Denial of Service) org.apache.tomcat:tomcat-websocket Dependency in Jira Software Data Center and ServerCVE-2024-236727.5 
Jira Service Management Data Center and Server5.14.0 do 5.14.1 5.13.0 do 5.13.1 5.12.0 do 5.12.7 (LTS) 5.11.0 do 5.11.3 5.10.0 do 5.10.2 5.9.0 do 5.9.2 5.8.0 do 5.8.2 5.7.0 do 5.7.2 5.6.0 5.5.0 do 5.5.1 5.4.0 do 5.4.19 (LTS) 5.3.0 do 5.3.3 5.2.0 do 5.2.1 5.1.0 do 5.1.1 5.0.05.15.2 5.12.7 do 5.12.8 (LTS) rekomendacja 5.4.20 do 5.4.21 (LTS)Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Service Management Data Center and ServerCVE-2024-222578.2 
DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Service Management Data Center and ServerCVE-2024-216347.5