Remote Code Execution Vulnerabilities in Multiple Atlassian Products

Skip to first unread message

Fleury, Terry

Dec 6, 2023, 1:41:02 PM12/6/23

CI Operators:

Atlassian has announced four critical remote code execution (RCE) vulnerabilities affecting multiple products, including Confluence Data Center and Server. All four vulnerabilities have CVSSv3 scores >= 9.0.



  • CVE-2023-1471 [2] - A deserialization vulnerability in SnakeYAML library can lead to remote code execution in multiple products
  • CVE-2023-22522 [3] - RCE vulnerability in Confluence Data Center and Confluence Server after v4.0.0
  • CVE-2023-22523 [4] - RCE vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center up to v6.2.0
  • CVE-2023-22524 [5] - RCE vulnerability in Atlassian Companion app for macOS up to v2.0.0


Affected Software

  • Confluence Data Center and Server
  • The SnakeYAML library vulnerability affects multiple Atlassian products



Update to the latest version of Data Center or Server. There are no recommended mitigations.









How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us ( if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

Reply all
Reply to author
0 new messages