1:04pm, 7 December 2023
TLP Rating:
Four RCE vulnerabilities affecting Atlassian products
Four vulnerabilities have been discovered impacting a range of Atlassian collaboration products.
If exploited, each of the four vulnerabilities could allow an attacker to run unauthorised code or commands remotely on the affected systems.
The vulnerabilities are tracked as CVE-2023-22522, CVE-2023-22523, CVE-2023-22524, and CVE-2022-1471.
What's happening
Systems affected
The following Atlassian products are affected:
CVE-2023-22522
- Confluence Data Center and Server
- Confluence Data Center (Data Center Only)
CVE-2023-22523
- Asset Discovery app for Jira Service Management products
CVE-2023-22524
- Atlassian Companion App for MacOS for Confluence Server and Confluence Data Center
CVE-2022-1471
- Automation for Jira app (including Server Lite edition)
- Bitbucket Data Center and Server
- Confluence Data Center and Server
- Confluence Cloud Migration App
- Jira Core Data Center and Server
- Jira Service Management Data Center and Server
- Jira Software Data Center and Server
Check the vendor advisories (links below) for specific versions impacted.
What to do
Mitigation
Update the impacted Atlassian products as outlined below.
CVE-2023-22522
Update Confluence Data Center and Server to the following versions:
- 7.19.17 (LTS),
- 8.4.5, or
- 8.5.4 (LTS)
Update Confluence Data Center to the following versions:
- version 8.6.2 or later (Data Center Only)
- 8.7.1 or later (Data Center Only)
CVE-2023-22523
Update the Asset Discovery app to the following versions:
- Asset Discovery 3.2.0-cloud or later
- Asset Discovery 6.2.0 or later
CVE-2023-22524
Confirm that Atlassian Companion App for MacOS has automatically updated to version 2.0.0 or later. If this is not compatible with your Confluence Data Center and Server instance you can uninstall the Atlassian Companion App to mitigate the vulnerability.
CVE-2022-1471
- Update the impacted Atlassian product to the version listed in the vendor advisory.
More details on how to update and mitigate these vulnerabilities are on the vendor advisories links below.
More information
For CVE-2023-22522
For CVE-2023-22523
- Atlassian website: RCE Vulnerability in Assets Discovery External Link
For CVE-2023-22524
- Atlassian website: RCE Vulnerability in Atlassian Companion App for MacOS External Link
For CVE-2022-1471
- Atlassian website: SnakeYAML library RCE Vulnerability impacts Multiple Products External Link
If you require more information or further support, submit a report on our website or contact us
on 0800 CERTNZ.
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384