CVE-2023-22513: Atlassian Bitbucket Data Center and Server RCE Vulnerability

by do son ·

In the vast realm of collaborative tools, Atlassian’s Bitbucket and Confluence are the towering titans, empowering countless developers and teams across the globe. However, like any titan, these platforms aren’t exempt from potential threats. Recently, a couple of high-severity vulnerabilities have cropped up, causing ripples of concern among the Atlassian community.

CVE-2023-22513

CVE-2023-22513: RCE (Remote Code Execution) in Bitbucket Data Center and Server

The threat lurking in the underbelly of the Bitbucket Data Center and Server is no ordinary one. Dubbed with the CVE-2023-22513 tag and boasting a CVSS score of a whopping 8.5, this high-severity Remote Code Execution (RCE) vulnerability traces its genesis back to version 8.0.0.

An authenticated attacker, exploiting this flaw, can run arbitrary code with potentially devastating consequences. It possesses the trifecta of high impacts—confidentiality, integrity, and availability—all without the need for any user interaction.

Thankfully, the vulnerability was flagged by a vigilant private user, courtesy of Atlassian’s Bug Bounty program.

Atlassian has been quick on its feet, issuing a clarion call for users to upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

  • Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5
  • Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5
  • Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4
  • Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2
  • Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1
  • Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0
  • Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions.

CVE-2023-22512: DoS (Denial of Service) in Confluence Data Center and Server

Confluence Data Center and Server, since its 5.6 version, has been harboring a potent Denial of Service (DoS) vulnerability. Given the CVE-2023-22512 moniker and a CVSS score of 7.5, this vulnerability doesn’t meddle with confidentiality or integrity. But it strikes where it hurts the most—availability.

An unauthenticated adversary can harness this flaw, rendering a Confluence instance connected to a network unavailable—be it temporarily or indefinitely. It’s akin to an unseen force pulling the plug on your resources.

Once again, a participant of the Bug Bounty program was the sentinel who spotted and reported this flaw.

For those Confluence enthusiasts, Atlassian suggests a prompt upgrade to the latest edition. And for those looking at interim measures, specified version upgrades are the way to go. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

  • Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14
  • Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1
  • Confluence Data Center and Server 8.6 or above: No need to upgrade, you’re already on a patched version

Tags: Bitbucket Data CenterBitbucket Data ServerCVE-2023-22512CVE-2023-22513