Atlassian fixes SQL injection flaw in Bamboo, other issues in Bitbucket, Confluence, and Jira
Take action: If you are using hosted Atlassian products - Bamboo, Bitbucket, Confluence, and Jira, review the advisory and plan for a patch cycle. This advisory is not for a panic mode patching, except urgent checking of the Postgres configuration to confirm your Bamboo isn't vulnerable. Yet, patching is still the smart choice.
Learn More
Atlassian has fixed a critical SQL injection vulnerability in Bamboo Data Center and Server. The issue, tracked as CVE-2024-1597 (CVSS score 10) impacts the PostgreSQL JDBC driver and exposes SQL injection and "could allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation".
Atlassian has noted that the actual risk to its products is considerably lower, since the flaw only affects PostgreSQL if PreferQueryMode is set to “simple”, which is not the configuration Atlassian uses. Yet customers are advised to check their Postgres instance configuration and to patch.
The vulnerability affects Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0.
The issue is addressed with the release of versions 9.6.0 (LTS), 9.5.2, 9.4.4, and 9.2.12 (LTS).
This critical vulnerability, along with 24 high-severity vulnerabilities across various Atlassian products including Bamboo, Bitbucket, Confluence, and Jira, were addressed in Atlassian's March 2024 security bulletin. The high-severity vulnerabilities encompass a range of issues, including denial-of-service (DoS) attacks, path traversal, and remote code execution (RCE), affecting multiple components and third-party dependencies within these platforms.
Atlassian recommends updating affected installations to the latest versions or to one of the newly released fixed versions to mitigate these vulnerabilities.
