Ethical Hacking News
Atlassian has patched 12 critical and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira, including two RCE bugs with a CVSS score of 9.8. Users should ensure their software is up-to-date to minimize the risk of a security breach.
Pierluigi Paganini revealed that Atlassian patched 12 critical and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira. The most severe vulnerabilities are CVE-2024-50379 and CVE-2024-56337, with a CVSS score of 9.8. CVE-2024-50379 is an RCE bug in Confluence Data Center and Server, while CVE-2024-56337 affects Apache Tomcat's TOCTOU vulnerability. Users need to upgrade to the latest versions (11.0.3, 10.1.35, or 9.0.99) for CVE-2024-56337 and to version 11.0.2, 10.1.34, or 9.0.98 for CVE-2024-50379. CVE-2024-52316 is another critical vulnerability related to Broken Authentication & Session Management (BASM) in Apache Tomcat's Jakarta Authentication.
Pierluigi Paganini, a renowned security expert, recently broke news about Atlassian's latest security patches for its popular software products. In his article, published on February 21, 2025, he revealed that Atlassian had patched 12 critical and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira.
The most severe vulnerabilities addressed by the company are CVE-2024-50379 and CVE-2024-56337. These two bugs have a CVSS score of 9.8, indicating that they pose a significant threat to the security of Atlassian's products. The first bug is related to Remote Code Execution (RCE) in Confluence Data Center and Server, while the second one affects Apache Tomcat's TOCTOU vulnerability.
CVE-2024-50379 is a RCE bug that allows attackers to execute arbitrary code on case-insensitive file systems with a non-default write-enabled servlet. This bug can be fixed by upgrading to version 11.0.2, 10.1.34, or 9.0.98. On the other hand, CVE-2024-56337 is also an RCE vulnerability that affects Apache Tomcat's TOCTOU race condition.
The second bug, CVE-2024-56337, was a result of incomplete mitigation for CVE-2024-50379. This means that users on case-insensitive file systems with write-enabled default servlet need to implement additional Java-specific mitigations to avoid the vulnerability. Fortunately, Atlassian has fixed this bug in version 11.0.3, 10.1.35, and 9.0.99.
Another critical vulnerability addressed by Atlassian is CVE-2024-52316, which is related to Broken Authentication & Session Management (BASM) in Apache Tomcat's Jakarta Authentication. This bug can be fixed by upgrading to version 9.0.96, 10.1.31, or 11.0.0.
The company also patched another RCE vulnerability, CVE-2024-50379, which has a CVSS score of 9.8 and affects case-insensitive file systems with non-default write-enabled servlets. This bug can be fixed by upgrading to version 9.0.98, 10.1.34, or 11.0.2.
It is worth noting that the company did not disclose whether these flaws have been exploited in attacks in the wild. However, it is essential for users of Atlassian's products to keep their software up-to-date and follow best practices to minimize the risk of a security breach.
In conclusion, Atlassian's latest security patches address 12 critical and high-severity vulnerabilities in its popular software products. It is crucial for users to stay informed about these vulnerabilities and take necessary precautions to protect themselves from potential attacks.
Related Information:
https://securityaffairs.com/174474/security/atlassian-fixed-critical-flaws-in-confluence-and-crowd.html
https://www.securityweek.com/atlassian-patches-critical-vulnerabilities-in-confluence-crowd/
https://nvd.nist.gov/vuln/detail/CVE-2024-50379
https://www.cvedetails.com/cve/CVE-2024-50379/
https://nvd.nist.gov/vuln/detail/CVE-2024-56337
https://www.cvedetails.com/cve/CVE-2024-56337/
https://nvd.nist.gov/vuln/detail/CVE-2024-52316
https://www.cvedetails.com/cve/CVE-2024-52316/
https://nvd.nist.gov/vuln/detail/CVE-2024-50379
https://www.cvedetails.com/cve/CVE-2024-50379/
Published: Fri Feb 21 08:28:16 2025 by llama3.2 3B Q4_K_M
