Atlassian has released patches for two of the vulnerabilities in Confluence Data Center and Server and another in Bamboo Data Center.
Atlassian in its advisory says that the newly discovered flaws are the result of an expanded scope of its vulnerability disclosure policies, previously focused on first-party, critical-severity bugs.
The vulnerabilities tracked as CVE-2023-22508 with a CVSS score of 8.5 were found in Confluence version 7.4.0, and the second vulnerability tracked as CVE-2023-22505 with a CVSS score of 8.0 was found in Confluence version 8.0.0.
The vulnerabilities could allow an attacker to execute arbitrary code with impact on confidentiality, integrity, and availability. No user interaction is required for exploitation, but the attacker needs to be authenticated as a valid user.
Both flaws were addressed with the release of Confluence versions 8.3.2 and 8.4.0. Customers who are unable to upgrade to one of these versions should at least update to version 8.2.0, which patches CVE-2023-22508.
Atlassian also released the patch for another high severity RCE vulnerability tracked as CVE-2023-22506 with a CVSS score of 7.5 resides in Bamboo Data Center version 8.0.0, the vulnerability was addressed in versions 9.2.3 and 9.3.1 of the enterprise solution.
The US CISA advises users and administrators to apply the available patches as soon as possible. Successful exploitation of these bugs could lead to system takeover. None of the bugs are exploited in wild as of now.