Atlassian security advisory reveals four fresh critical flaws – in mail with dead links

Trending 2 months ago

Atlassian has emailed its barter to acquaint of four analytical vulnerabilities, but the bulletin had flaws of its own – the links it absolute weren't alive for all readers at the time of despatch.

The email, apparent by The Register, warns of flaws rated 9.0 or college on the Common Vulnerability Scoring System (CVSS) calibration and offers a articulation to an advisory.

But that articulation was to a folio that did not call the accordant flaws, instead account CVE-2023-22518, the 9.1-rated bastard appear in backward October and after upgraded to a absolute 10/10. Nor did links to the four CVEs the email mentions ability the actual folio for about an hour – all produced a Page Not Found absurdity and a advancement that the folio may accept been renamed with addition URL that does backpack the actual information.

Atlassian told us "There was a baby absurdity area emails went out to some barter with access links. As anon as we accomplished we put a workaround in abode so barter were redirected to the adapted pages. We apologize to our barter for any annoyance acquired with our mistake."

The URLs all accommodate URLdefense.com – a account offered by Proofpoint. Maybe it was Proofpoint's problem.

While the links were dead, Atlassian did administer to broadcast advice about the four beginning problems here.

The four flaws all acquiesce alien cipher beheading and appulse the articles listed below:

  • CVE‑2022‑1471 – 9.8/10 – Automation for Jira app (including Server Lite edition), Bitbucket Data Center, Bitbucket Server, Confluence Data Center, Confluence Server, Confluence Cloud Migration App, Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server, Jira Software Data Center, Jira Software Server
  • CVE‑2023‑22522 – 9.0/10 – Confluence Data Center and Server
  • CVE‑2023‑22524 – 9.6/10 – Atlassian Companion App for MacOS, Jira Service Management Cloud, Data Center and Server
  • CVE‑2023‑22523 – 9.8/10 – Assets Discovery app for Assets Discovery for Jira Service Management Cloud, Jira Service Management Server and Jira Service Management Data Center

The fix for all the flaws is the same: advancement the artefact to a anchored version.

  • Atlassian cranks up the blackmail beat to max for Confluence allotment flaw
  • US cybercops appetite admins to application amidst advancing Confluence chaos
  • How does Atlassian achievement to absolutely advance Confluence and Jira? AI, of course!
  • Atlassian predicts its on-prem articles will abound faster than cloud

Atlassian's emailed advising urges "you charge booty actual action to assure your instance." The Register imagines that was a adamantine apprenticeship to follow, accustomed the dud links the email absolute for some customers.

Atlassian's declared company values accommodate "Don't #@!% the customer" and "Open company, no bullshit." ®