Atlassian has addressed multiple vulnerabilities in its Confluence, Crucible, and Jira solutions as part of June 2024 security advisory releases.
Confluence Data Center and Server
The first vulnerability tracked as CVE-2024-22257, the most severe of these flaws, is a broken access control issue in the Spring Framework that could allow unauthenticated attackers to expose assets they should not have access to.
Three server-side request forgery (SSRF) vulnerabilities in the URL parsing functionality of the Spring Framework, which are tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259, and can trigger different output.
Atlassian also updated Confluence Data Center and Server with patches for two out-of-bounds write bugs in Apache Commons Configuration, which could allow unauthenticated attackers to cause a denial-of-service (DoS) condition by submitting a crafted configuration file or input.
Patches for all vulnerabilities have been included in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).
Atlassian Jira & Jira Management Data Center and Server
The fixed bugs are type of information disclosure vulnerability that can be exploited without authentication.
These are tracked as CVE-2024-21685, that’s resolved in Jira Data Center and Server versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS), and Jira Service Management Data Center and Server versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).
Atlassian Crucible Data Center and Server
The vulnerability tracked as CVE-2022-25647 is a deserialization of untrusted data vulnerability in the com.google.code.gson:gson package, which could be exploited by unauthenticated attackers to cause a DoS condition. The issue impacts Crucible version 4.8.0 and below, and the recommended version is 4.8.15
