Multiple Critical Vulnerabilities

Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and clients must take immediate action to protect their instances.

Please carefully review all of the Critical Security Advisories impacting your Atlassian product(s) to verify affected versions and instructions. Please review carefully: Server, Data Center, and even some Cloud apps are affected.

CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products

Summary	CVE-2022-1471 - SnakeYAML library RCE Vulnerability impacts Multiple Products
Advisory Release Date	Tue, Dec 05 2023 21:00 PST
Products	Automation for Jira app (including Server Lite edition) Bitbucket Data Center Bitbucket Server Confluence Data Center Confluence Server Confluence Cloud Migration App Jira Core Data Center Jira Core Server Jira Service Management Data Center Jira Service Management Server Jira Software Data Center Jira Software Server
CVE ID	CVE-2022-1471

Summary of Vulnerability

Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

See affected versions and mitigation steps here.

CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

Summary	CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server
Advisory Release Date	Tue, Dec 05 2023 21:00 PST
Products	Confluence Data Center Confluence Server
CVE ID	CVE-2023-22522
Related Jira Ticket(s)	CONFSERVER-93502

Summary of Vulnerability

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and Server versions as listed below are at risk and require immediate attention.

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

See affected versions and mitigation steps here.

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Summary	CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS
Advisory Release Date	Tue, Dec 5 2023 21:00 PST
Products	Atlassian Companion App for MacOS for Confluence Server Confluence Data Center
CVE ID	CVE-2023-22524
Related Jira Ticket(s)	CONFSERVER-93518

Summary of Vulnerability

All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.

The Atlassian Companion App is an optional desktop application that can be installed on users' devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances.

Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device.

This vulnerability affects the Atlassian Companion App only, not Confluence Data Center and Server or Cloud sites.

The Atlassian Companion App for Windows is not impacted by this vulnerability.

See affected versions and mitigation steps here.

CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Summary	CVE-2023-22523 - RCE (Remote Code Execution) Vulnerability in Assets Discovery
Advisory Release Date	Tues, Dec 5 2023 21:00 PST
Products	Assets Discovery for Jira Service Management Cloud Jira Service Management Server Jira Service Management Data Center
CVE ID	CVE-2023-22523
Related Jira Ticket(s)	JSDSERVER-14925

Summary of Vulnerability

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.

Assets Discovery, which can be downloaded via Atlassian Marketplace, is a stand-alone network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and collects detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.

See affected versions and mitigation steps here.

Need help with this?

Atlassian found these vulnerabilities as part of an ongoing security review that they are conducting in addition to their continuous security assessments, and currently, there is no evidence of exploitation. Your security is our top priority, and we believe that acting proactively is the best approach to protecting your data.

Contact us or give us a call at (248) 606-4612. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.