Atlassian RCE Bugs Plague Confluence, Bamboo

Three just-disclosed remote code execution (RCE) security vulnerabilities open up Atlassian Confluence Data Center & Server, and Bamboo, to system takeover, the software company is warning.

Confluence is a popular Web-based corporate wiki used for collaboration in cloud and hybrid server environments that allows one-click connections to a variety of different databases. More than 60,000 customers use Confluence, including LinkedIn, NASA, and the New York Times.

Bamboo, meanwhile, is a continuous integration (CI) and continuous delivery (CD) server for software development that provides automated building and testing of software source-code status.

Successful exploitation of any of the flaws could offer a wide-open door into users' cloud infrastructure, software supply chain, and more. While threat actors need to be authenticated to be successful, no user interaction is required to exploit the bugs.

In Confluence, the vulnerabilities are tracked as CVE-2023-22505 (CVSS 8.5) and CVE-2023-22508 (CVSS 8.0). Both were patched in Confluence versions 8.3.2 and 8.4.0.

"This injection and RCE vulnerability allow an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability,” Atlassian noted in its security advisory on Confluence.

Meanwhile, the high-severity issue in the Bamboo Data Center (CVE-2023-22506, CVSS 7.5) was patched in versions 9.2.3 and 9.3.1.

"[An attacker can] modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability," according to Atlassian. 

Given the sensitive nature of Atlassian within corporate networks, the US Cybersecurity and Infrastructure Security Agency (CISA) is urging that users apply the patches to their Atlassian instances as soon as possible.