Security Bulletin - November 21 2023
November 2023 Security Bulletin
It is important to note that the issues included in this bulletin are a recent increase in scope of our disclosures, previously we focused on disclosing first-party, critical-severity vulnerabilities via critical advisories. The high-severity vulnerabilities included in this bulletin have a lower impact from the critical advisories we have published previously. While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products.
The vulnerabilities reported in this security bulletin include 26 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third party library scans.
Questions about the bulletin? Read more about this new format here.
| Released Security Vulnerabilities | ||||||
|---|---|---|---|---|---|---|
| Summary | Severity | CVSS Score | Affected Versions | CVE ID | More Details | Public Date |
| Info Disclosure com.google.guava:guava in Jira Software Data Center and Server | High | 7.1 | All versions including and after 8.20.0 | CVE-2023-2976 | JSWSERVER-25415 | Nov 21, 2023 |
| DoS (Denial of Service) com.google.code.gson:gson in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2022-25647 | JSWSERVER-25412 | Nov 21, 2023 |
| DoS (Denial of Service) org.jsoup:jsoup in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2021-37714 | JSWSERVER-25410 | Nov 21, 2023 |
| Deserialization com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2022-42004 | JSWSERVER-25409 | Nov 21, 2023 |
| DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2022-42003 | JSWSERVER-25408 | Nov 21, 2023 |
| DoS (Denial of Service) jackson-databind in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2021-46877 | JSWSERVER-25407 | Nov 21, 2023 |
| DoS (Denial of Service) com.fasterxml.jackson.core in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2020-36518 | JSWSERVER-25406 | Nov 21, 2023 |
| DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2023-42794 | JSWSERVER-25400 | Nov 21, 2023 |
| DoS (Denial of Service) io.netty:netty-codec-http2 in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2023-44487 | JSWSERVER-25398 | Nov 21, 2023 |
| Cache Poisoning org.eclipse.jetty:jetty-server in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2017-7656 | JSWSERVER-22148 | Nov 21, 2023 |
| DoS (Denial of Service) org.eclipse.jetty:jetty-io in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2021-28165 | JSWSERVER-22145 | Nov 21, 2023 |
| Info Disclosure org.eclipse.jetty:jetty-util in Jira Software Data Center and Server | High | 7.5 | All versions including and after 8.20.0 | CVE-2017-9735 | JSWSERVER-22141 | Nov 21, 2023 |
| RCE (Remote Code Execution) in Crowd Data Center and Server | High | 8 | All versions including and after 3.4.6 | CVE-2023-22521 | CWD-6139 | Nov 21, 2023 |
| SSRF org.apache.xmlgraphics in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2022-41704 | CONFSERVER-93179 | Nov 21, 2023 |
| SSRF org.apache.xmlgraphics:batik-bridge in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2022-40146 | CONFSERVER-93178 | Nov 21, 2023 |
| XSS org.apache.xmlgraphics:batik-script in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2022-42890 | CONFSERVER-93175 | Nov 21, 2023 |
| org.apache.tomcat:tomcat-catalina Vulnerability in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2022-45143 | CONFSERVER-93173 | Nov 21, 2023 |
| DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2022-28366 | CONFSERVER-93169 | Nov 21, 2023 |
| Request Smuggling org.apache.tomcat:tomcat-coyote in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2022-42252 | CONFSERVER-93168 | Nov 21, 2023 |
| DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2023-42794 | CONFSERVER-93164 | Nov 21, 2023 |
| DoS (Denial of Service) io.netty:netty-codec-http2 in Confluence Data Center and Server | High | 7.5 | All versions including and after 6.13.0 | CVE-2023-44487 | CONFSERVER-93163 | Nov 21, 2023 |
| Third-Party Dependency in Bitbucket Data Center and Server | High | 7.5 | All versions including and after 7.21.0 | CVE-2021-40690 | BSERV-18986 | Nov 21, 2023 |
| DoS (Denial of Service) apache-struts in Bamboo Data Center and Server | High | 7.5 | All versions including and after 8.1.0 | CVE-2023-34396 | BAM-25501 | Nov 21, 2023 |
| DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Bamboo Data Center and Server | High | 7.5 | All versions including and after 8.1.0 | CVE-2023-42794 | BAM-25470 | Nov 21, 2023 |
| DoS (Denial of Service) org.apache.tomcat:tomcat-coyote in Bamboo Data Center and Server | High | 7.5 | All versions including and after 8.1.0 | CVE-2023-44487 | BAM-25469 | Nov 21, 2023 |
| RCE (Remote Code Execution) in Bamboo Data Center and Server | High | 8.5 | All versions including and after 8.1.0 | CVE-2023-22516 | BAM-25168 | Nov 21, 2023 |
What you need to do
To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version. If you're unable to do so, patch to the minimum fix version in the table below.
| Product | Fix Recommendation |
|---|---|
| Crowd Data Center and Server | Patch to a minimum fix version of 5.1.6, 5.2.1 or latest |
| Confluence Data Center | Patch to a minimum fix version of 8.6.1 or latest |
| Confluence Server | Patch to a minimum fix version of 8.5.4 or latest |
| Bitbucket Data Center and Server | Patch to a minimum fix version of 7.21.18 or latest |
| Bamboo Data Center and Server | Patch to a minimum fix version of 9.2.7, 9.3.4, 9.3.5 or latest |
| Jira Data Center and Server | Patch to a minimum fix version of 9.12.0 or latest |
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.