Atlassian has today emailed us alerting us to the following:
Jira Service Management Cloud, Data Center and Server
• CVE‑2023‑22523 – RCE vulnerability in Assets Discovery app
• CVE‑2022‑1471 – SnakeYAML library RCE vulnerability impacts multiple products (Data Center and Server only)
Jira Software and Jira Core Data Center and Server, Automation for Jira apps
• CVE-2022-1471 – SnakeYAML library RCE vulnerability impacts multiple products
However, doing the following searches at jira.atlassian.com
text ~ CVE‑2023‑22523
found nothing
For the next CVE:
text ~ CVE‑2022‑1471
also found nothing
and doing a general internet search across atlassian.com:
site:atlassian.com CVE‑2023‑22523
found nothing,
and for:
site:atlassian.com CVE‑2022‑1471
only shows up:
Trivy vulnerabiltiy scan of atlassian/jira-softwar...
Where could I go next to find out what Jira versions are affected, please, and monitor for any patches to be released?
The email should have links to the relevant pages - see all the links and advisories on this page: https://confluence.atlassian.com/security/security-advisories-bulletins-1236937381.html
Ste
yeah the email had links; unfortunately they were broken. I replied back for updated links.
Thanks so much for the link you provided, I can see it references the two CVEs in question:
CVE-2023-22523 - RCE Vulnerability in Assets Discovery | Atlassian Support | Atlassian Documentation
and
that's very helpful, thank you @Ste Wright :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I checked the email and the links are there - but they do link to redirects!
I've let Atlassian know also :)
Ste
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.