🛡 H3lium@infosec.exchange/:~# :blinking_cursor:<p><strong>Security Bulletin: Atlassian June 2024</strong></p><p><strong>Date</strong>: June 18, 2024<br><strong>CVE</strong>: CVE-2024-22257<br><strong>Vulnerability Type</strong>: Improper Authorization<br><strong>CWE</strong>: [[CWE-284]], [[CWE-918]], [[CWE-400]]<br><strong>Sources</strong>: <a href="https://confluence.atlassian.com/security/security-bulletin-june-18-2024-1409286211.html" rel="nofollow noopener" target="_blank">Atlassian Documentation</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-22257" rel="nofollow noopener" target="_blank">NVD</a></p><p><strong>Synopsis</strong></p><p>Atlassian has released a security bulletin addressing multiple high-severity vulnerabilities in its products. These vulnerabilities, discovered through the company's Bug Bounty program and third-party scans, have been fixed in recent versions.</p><p><strong>Issue Summary</strong></p><p>Nine high-severity vulnerabilities affecting various Atlassian products were disclosed. These vulnerabilities include issues such as improper authorization and server-side request forgery (SSRF) in dependencies like org.springframework.security:spring-security-core and org.springframework:spring-web. Confluence, Jira, and Fisheye/Crucible are among the affected products.</p><p><strong>Technical Key Findings</strong></p><p>The vulnerabilities primarily involve improper authorization and SSRF, which allow attackers to exploit insufficient validation of user inputs. For instance, CVE-2024-22257 involves improper authorization due to flaws in the org.springframework.security:spring-security-core dependency, potentially leading to unauthorized access.</p><p><strong>Vulnerable Products</strong></p><ul><li><strong>Confluence Data Center and Server</strong>: Versions 8.9.0 to 8.9.2, 8.8.0 to 8.8.1, 8.7.1 to 8.7.2, among others.</li><li><strong>Fisheye/Crucible</strong>: Versions 4.8.10 to 4.8.14.</li><li><strong>Jira Data Center and Server</strong>: Versions 9.12.0 to 9.12.7 (LTS), 9.4.0 to 9.4.20 (LTS).</li><li><strong>Jira Service Management</strong>: Versions 5.15.2, 5.12.0 to 5.12.7 (LTS).</li></ul><p><strong>Impact Assessment</strong></p><p>Exploiting these vulnerabilities could lead to unauthorized access, denial of service (DoS), or information disclosure, significantly impacting the confidentiality, integrity, and availability of the affected systems.</p><p><strong>Patches or Workaround</strong></p><p>Patches have been released for the affected products. Users are advised to update to the latest versions or apply the recommended fixed versions listed in the bulletin. No temporary mitigations are provided; hence, immediate patching is crucial.</p><p><strong>Tags</strong></p><p><a href="https://infosec.exchange/tags/Atlassian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Atlassian</span></a> <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a>-2024-22257 <a href="https://infosec.exchange/tags/ImproperAuthorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ImproperAuthorization</span></a> <a href="https://infosec.exchange/tags/SSRF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSRF</span></a> <a href="https://infosec.exchange/tags/DoS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DoS</span></a> <a href="https://infosec.exchange/tags/Confluence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Confluence</span></a> <a href="https://infosec.exchange/tags/Jira" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Jira</span></a> <a href="https://infosec.exchange/tags/SecurityBulletin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBulletin</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a></p>
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.
Administered by:
Server stats:
483active users
101010.pl: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.5.0-alpha.2
#securitybulletin
0 posts · 0 participants · 0 posts today
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:<p>"🚨 <a href="https://infosec.exchange/tags/SecurityBulletin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBulletin</span></a>: IBM Db2 Vulnerabilities Alert! 🚨"</p><p>IBM has released a security bulletin detailing multiple vulnerabilities in IBM Db2, which is shipped with IBM WebSphere Remote Server. These vulnerabilities range from denial of service attacks to information disclosure vulnerabilities. Some of the notable CVEs include:</p><ul><li>CVE-2023-39976: A vulnerability in libqb affecting IBM® Db2® High-Availability deployments using Pacemaker.</li><li>CVE-2023-40373: IBM® Db2® is vulnerable to denial of service with a specially crafted query containing common table expressions.</li><li>CVE-2023-40372: IBM® Db2® is vulnerable to denial of service with a specially crafted SQL statement using External Tables.</li><li>CVE-2023-33850: IBM® Db2® has an information disclosure vulnerability due to the consumed GSKit library.</li></ul><p>IBM urges users to address these vulnerabilities by upgrading the affected products. For a detailed breakdown and remediation steps, refer to the official <a href="https://www.ibm.com/support/pages/node/7062492" rel="nofollow noopener" target="_blank">IBM Security Bulletin</a>.</p><p>Tags: <a href="https://infosec.exchange/tags/IBM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IBM</span></a> <a href="https://infosec.exchange/tags/Db2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Db2</span></a> <a href="https://infosec.exchange/tags/WebSphere" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSphere</span></a> <a href="https://infosec.exchange/tags/SecurityBulletin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBulletin</span></a> <a href="https://infosec.exchange/tags/Vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerabilities</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/DenialOfService" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DenialOfService</span></a> <a href="https://infosec.exchange/tags/InformationDisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InformationDisclosure</span></a> 🛡️🔍🚀</p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload