Atlassian has launched patches for greater than two dozen safety flaws, together with a essential bug impacting Bamboo Information Heart and Server that may very well be exploited with out requiring consumer interplay.
Tracked as CVE-2024-1597, the vulnerability carries a CVSS rating of 10.0, indicating most severity.
Described as an SQL injection flaw, it is rooted in a dependency known as org.postgresql:postgresql, because of which the corporate stated it “presents a decrease assessed threat” regardless of the criticality.
“This org.postgresql:postgresql dependency vulnerability […] may enable an unauthenticated attacker to reveal belongings in your setting vulnerable to exploitation which has excessive influence to confidentiality, excessive influence to integrity, excessive influence to availability, and requires no consumer interplay,” Atlassian stated.
Based on an outline of the flaw within the NIST’s Nationwide Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, permits attacker to inject SQL if utilizing PreferQueryMode=SIMPLE.” The motive force variations previous to those listed beneath are impacted –
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9, and
- 42.2.28 (additionally mounted in 42.2.28.jre7)
“SQL injection is feasible when utilizing the non-default connection property preferQueryMode=easy together with software code that has a weak SQL that negates a parameter worth,” the maintainters stated in an advisory final month.
“There isn’t any vulnerability within the driver when utilizing the default question mode. Customers that don’t override the question mode should not impacted.”
The Atlassian vulnerability is alleged to have been launched within the following variations of Bamboo Information Heart and Server –
- 8.2.1
- 9.0.0
- 9.1.0
- 9.2.1
- 9.3.0
- 9.4.0, and
- 9.5.0
The corporate additionally emphasised that Bamboo and different Atlassian Information Heart merchandise are unaffected by CVE-2024-1597 as they don’t use the PreferQueryMode=SIMPLE of their SQL database connection settings.
SonarSource safety researcher Paul Gerste has been credited with discovering and reporting the flaw. Customers are suggested to replace their cases to the most recent model to guard in opposition to any potential threats.