On December 6, 2023, the Federal Office for Information Security (BSI) issued a security advisory regarding Atlassian products. The security vulnerability affects UNIX, Linux, and Windows operating systems, as well as Atlassian Bitbucket, Atlassian Confluence, and Atlassian Jira Software.
For the latest manufacturer recommendations regarding updates, workarounds, and security patches for this vulnerability, please refer to the Atlassian Security Advisory CVE-2022-1471 (as of December 5, 2023). Additional useful links are provided at the end of this article.
Security Advisory for Atlassian Products – Risk: High
- Risk Level: 4 (High)
- CVSS Base Score: 9.8
- CVSS Temporal Score: 8.5
- Remote Attack: Yes
The severity of vulnerabilities in computer systems is evaluated using the Common Vulnerability Scoring System (CVSS). This standard allows potential or actual security vulnerabilities to be compared based on various metrics to create a prioritized list for countermeasures. Severity levels are assessed using attributes such as “none,” “low,” “medium,” “high,” and “critical.” The Base Score evaluates the prerequisites for an attack and its consequences, while the Temporal Score considers temporal changes in the threat landscape. The current vulnerability is rated as “high” with a Base Score of 9.8.
Atlassian Products Bug: Multiple vulnerabilities allow code execution. Bitbucket is a Git server for source code version control, Confluence is commercial wiki software, and Jira is a web application for software development. A remote, anonymous, or authenticated attacker can exploit multiple vulnerabilities in Atlassian Bitbucket, Atlassian Confluence, and Atlassian Jira Software to execute arbitrary code. These vulnerabilities were classified using the CVE (Common Vulnerabilities and Exposures) designation system, with individual serial numbers CVE-2023-22524, CVE-2023-22523, CVE-2023-22522, and CVE-2022-1471.
Overview of affected systems:
- Operating Systems: UNIX, Linux, Windows
- Products:
- Atlassian Bitbucket Data Center
- Atlassian Bitbucket Server
- Atlassian Confluence Data Center
- Atlassian Confluence Server
- Atlassian Confluence Cloud Migration App
- Atlassian Jira Software Core Data Center
- Atlassian Jira Software Core Server
- Atlassian Jira Software Service Management Data Center
- Atlassian Jira Software Service Management Server
- Atlassian Jira Software Software Data Center
- Atlassian Jira Software Software Server
- Atlassian Jira Software Management Cloud
General measures for handling IT security vulnerabilities:
- Users should keep the affected applications up to date and promptly install new security updates.
- For further information on current versions of the software, availability of security patches, or workarounds, consult the sources listed below.
- If you have any questions or uncertainties, contact your system administrator.
- IT security officers should regularly check for the availability of new security updates.
Manufacturer information on updates, patches, and workarounds: Additional links to bug reports, security fixes, and workarounds are provided below:
- Atlassian Security Advisory CVE-2022-1471 dated December 5, 2023 Further information available at: Link
- Atlassian Security Advisory CVE-2023-22522 dated December 5, 2023 Further information available at: Link
- Atlassian Security Advisory CVE-2023-22523 dated December 5, 2023 Further information available at: Link
- Atlassian Security Advisory CVE-2023-22524 dated December 5, 2023 Further information available at: Link