Atlassian fixed critical flaws in Confluence and Crowd

Atlassian fixed critical flaws in Confluence and Crowd

Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira.

Software firm Atlassian released security patches to address 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira products.

The most severe vulnerabilities addressed by the company are:

CVE-2024-50379 – (CVSS score of 9.8) – RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server in Confluence Data Center. The flaw is a TOCTOU race condition in Apache Tomcat that allows RCE on case-insensitive file systems with a non-default write-enabled servlet. Update to 11.0.2, 10.1.34, or 9.0.98.

CVE-2024-56337 – (CVSS score of 9.8) – RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server. The flaw is an Apache Tomcat’s TOCTOU vulnerability, caused by incomplete mitigation for CVE-2024-50379. The vulnerability requires extra config on case-insensitive file systems. Fix in 11.0.3, 10.1.35, 9.0.99.

CVE-2024-52316 – (CVSS score of 9.8) – BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server. An unchecked error in Apache Tomcat’s Jakarta Authentication may allow auth bypass if a custom ServerAuthContext fails without setting an HTTP status. Affects versions 9.0.0-M1–9.0.95, 10.1.0-M1–10.1.30, 11.0.0-M1–11.0.0-M26. Upgrade to 9.0.96, 10.1.31, or 11.0.0.

CVE-2024-50379 – (CVSS score of 9.8) – A TOCTOU race condition in Apache Tomcat allows RCE on case-insensitive file systems. Affects versions 9.0.0.M1-9.0.97, 10.1.0-M1-10.1.33, 11.0.0-M1-11.0.1. Upgrade to 9.0.98, 10.1.34, or 11.0.2.

CVE-2024-56337 – (CVSS score of 9.8) – Apache Tomcat’s TOCTOU race condition (CVE-2024-50379) fix was incomplete. Affects versions 9.0.0-M1–9.0.97, 10.1.0-M1–10.1.33, 11.0.0-M1–11.0.1. Users on case-insensitive file systems with write-enabled default servlet need additional Java-specific mitigations. Fixed in Tomcat 9.0.99, 10.1.35, and 11.0.3.

The company did not disclose whether these flaws have been exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian)