Atlassian has introduced patches for much more than two dozen security flaws, together with a critical bug impacting Bamboo Knowledge Centre and Server that could be exploited devoid of requiring person interaction.
Tracked as CVE-2024-1597, the vulnerability carries a CVSS rating of 10., indicating greatest severity.
Explained as an SQL injection flaw, it’s rooted in a dependency identified as org.postgresql:postgresql, as a end result of which the firm explained it “provides a decrease assessed risk” in spite of the criticality.
“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose belongings in your natural environment vulnerable to exploitation which has higher effects to confidentiality, high affect to integrity, high influence to availability, and needs no consumer interaction,” Atlassian stated.
According to a description of the flaw in the NIST’s Nationwide Vulnerability Databases (NVD), “pgjdbc, the PostgreSQL JDBC Driver, makes it possible for attacker to inject SQL if using PreferQueryMode=Very simple.” The driver versions prior to the types detailed under are impacted –
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9, and
- 42.2.28 (also preset in 42.2.28.jre7)
“SQL injection is doable when making use of the non-default connection property preferQueryMode=uncomplicated in blend with software code that has a susceptible SQL that negates a parameter benefit,” the maintainters said in an advisory final month.
“There is no vulnerability in the driver when making use of the default question method. Buyers that do not override the question method are not impacted.”
The Atlassian vulnerability is mentioned to have been launched in the pursuing versions of Bamboo Information Heart and Server –
- 8.2.1
- 9..
- 9.1.
- 9.2.1
- 9.3.
- 9.4., and
- 9.5.
The corporation also emphasized that Bamboo and other Atlassian Info Middle products and solutions are unaffected by CVE-2024-1597 as they do not use the PreferQueryMode=Easy in their SQL database connection configurations.
SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Customers are recommended to update their situations to the most up-to-date edition to safeguard versus any potential threats.
Discovered this article intriguing? Follow us on Twitter and LinkedIn to study extra unique content we submit.
Some parts of this article are sourced from:
thehackernews.com