Atlassian released patches to address multiple vulnerabilities in its Bamboo, Bitbucket, Confluence, and Jira products.
The most severe vulnerability, tracked as CVE-2024-1597 with a CVSS score of 10, is a SQL injection flaw that impacts the org.postgresql:postgresql third-party dependency of Bamboo Data Center and Server.
This org.postgresql:postgresql Dependency vulnerability could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation, which has a high impact to CIA and requires no user interaction.
The vulnerability impacts Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0. The vulnerability was addressed with the release of versions 9.6.0 (LTS), 9.5.2, 9.4.4, and 9.2.12 (LTS).
Atlassian also fixed a DoS in software.amazon.ion:ion-java Dependency issue, tracked as CVE-2024-21634 with a CVSS Score of 7.5, that impacts Bamboo Data Center and Server that allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
The high severity software.amazon.ion:ion-java Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server.
