Atlassian has released fixes for two high-severity bugs in its Confluence Server and Data Center products and one in its Bamboo Server and Data Center products, all of which can lead to remote code execution.
One of the Confluence vulnerabilities was introduced in version 8.0.0 while the other was introduced in 7.4.0. The Bamboo flaw (CVE-2023-22506) was introduced in version 8.0.0 of those products. Both Confluence and Bamboo are deployed widely in enterprises and used across multiple industries and sectors.
While the two Confluence flaws are both remote code execution bugs, the Bamboo bug is an injection and remote code execution vulnerability.
“This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction,” the Atlassian advisory for the Bamboo bug says.
Confluence is a popular collaboration and team workspace tool in enterprises and is used for a wide variety of tasks. It can be deployed on premises or in a hosted environment, and Bamboo can be deployed in the same way.
Organizations that have vulnerable versions of Confluence or Bamboo deployed on premises should upgrade to the fixed versions as soon as practical.