Atlassian Confluence and Bamboo Remote Code Execution Vulnerabilities

CVE-2023-22508

Atlassian has released security advisories for three vulnerabilities in Confluence Data Center & Server and Bamboo Data Center & Server. The vulnerabilities, which have been assigned the identifiers CVE-2023-22505, CVE-2023-22508, and CVE-2023-22506, allow authenticated attackers to execute arbitrary code with a high impact on confidentiality, integrity, and availability.

CVE-2023-22508

CVE-2023-22505: Remote Code Execution in Confluence Data Center & Server

The first of these, CVE-2023-22505, is a high-severity Remote Code Execution (RCE) vulnerability that surfaced in version 8.0.0 of Confluence Data Center & Server. With a CVSS score of 8, it’s a dire threat that allows an authenticated attacker to execute arbitrary code, compromising confidentiality, integrity, and availability, all without user interaction.

The vulnerability affects versions 8.0.0 up to, but not including, 8.3.2 and 8.4.0. Thankfully, versions 8.3.2 and onwards, as well as version 8.4.0 and subsequent versions, remain unaffected.

CVE-2023-22508: Remote Code Execution in Confluence Data Center & Server

Hard on the heels of CVE-2023-22505, we find another high-severity RCE vulnerability, CVE-2023-22508, making its debut in version 7.4.0 of Confluence Data Center & Server. With a slightly higher CVSS score of 8.5, it, too, allows an authenticated attacker to execute arbitrary code, creating a similar cascade of risks for confidentiality, integrity, and availability, all sans user interaction.

Confluence Data Center & Server versions 7.19.8 up to, but not including, 8.2.0, are vulnerable to this exploit, while versions 8.2.0 and later are immune to this specific threat.

CVE-2023-22506: Injection, Remote Code Execution in Bamboo

Next on the radar is Bamboo Data Center, which is grappling with a dual-threat vulnerability — CVE-2023-22506. This issue combines an injection vulnerability with an RCE, adding another layer of complexity to the security quandary.

Introduced in version 8.0.0 of Bamboo Data Center, this high-severity vulnerability, boasting a CVSS score of 7.5, enables an authenticated attacker to modify system call actions and execute arbitrary code, posing a grave threat to confidentiality, integrity, and availability, again without user interaction.

Bamboo Data Center and Server versions from 8.0.0 up to, but not including 9.2.3 and 9.3.1 are affected. The good news is that versions 9.2.3, 9.3.1, and their subsequent iterations remain unscathed.

Mitigation

The impact of these vulnerabilities can be significant. An attacker who successfully exploits one of these vulnerabilities could gain complete control of the affected server. This could allow the attacker to steal data, install malware, or disrupt operations. Atlassian has released patches for three serious vulnerabilities in Confluence and Bamboo. Users are advised to upgrade to the latest versions of these products as soon as possible.