CI Operators:
Atlassian has announced updates to address 1 critical severity issue and 24 high severity issues across various products [1], including Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, and Jira Software Data Center and Server.
Impact:
The 1 critical severity (CVE-2024-1597 [2]) affects Bamboo Data Center and Server with a CVSSv3 score of 10.0. The issue is an SQL injection vulnerability in the PostgreSQL JDBC driver when using the non-default connection property "preferQueryMode=simple". However, Atlassian products do not use this connection property, so the criticality is less.
The other 24 high severity issues deal primarily with path traversal, denial of service (DoS), and remote code execution (RCE) vulnerabilities across the Atlassian suite of products.
Affected Software:
Recommendation:
Download the latest version of software for your product. See the Security Bulletin [1] for any potential mitigations.
References:
[1] https://confluence.atlassian.com/security/security-bulletin-march-19-2024-1369444862.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-1597
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.