Atlassian has released patches for more than two dozen security vulnerabilities, including a critical bug affecting Bamboo data centers and servers that could be exploited without user interaction.
Tracked as CVE-2024-1597the vulnerability has a CVSS score of 10.0, indicating the highest severity.
It is described as a SQL injection flaw that is rooted in a dependency called org.postgresql:postgresql, so the company says that despite its importance, the “assessed risk is low.”
“This org.postgresql:postgresql dependency vulnerability […] Potentially allowing an unauthenticated attacker to expose vulnerable assets in your environment to exploitation, with significant impact on confidentiality, integrity, availability, and without requiring user interaction,” Atlassian said.
According to the description of the flaw in the NIST National Vulnerability Database (NVD), “The PostgreSQL JDBC driver pgjdbc allows an attacker to inject SQL when using PreferQueryMode=SIMPLE.” Driver versions prior to the ones listed below are affected Influence –
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9, and
- 42.2.28 (also fixed in 42.2.28.jre7)
“SQL injection is possible when using the non-default connection attribute preferQueryMode=simple in conjunction with application code that has vulnerable SQL that negates parameters,” the maintainers said in an advisory last month. value.”
“The driver is not vulnerable when using the default query mode. Users who do not override the query mode are not affected.”
The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server –
- 8.2.1
- 9.0.0
- 9.1.0
- 9.2.1
- 9.3.0
- 9.4.0, and
- 9.5.0
The company also emphasized that Bamboo and other Atlassian Data Center products are not affected by CVE-2024-1597 because they do not use PreferQueryMode=SIMPLE in their SQL database connection settings.
SonarSource security researcher Paul Gerste is credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.
