Atlassian has today emailed us alerting us to the following:
Jira Service Management Cloud, Data Center and Server
• CVE‑2023‑22523 – RCE vulnerability in Assets Discovery app
• CVE‑2022‑1471 – SnakeYAML library RCE vulnerability impacts multiple products (Data Center and Server only)
Jira Software and Jira Core Data Center and Server, Automation for Jira apps
• CVE-2022-1471 – SnakeYAML library RCE vulnerability impacts multiple products
However, doing the following searches at jira.atlassian.com
text ~ CVE‑2023‑22523
found nothing
For the next CVE:
text ~ CVE‑2022‑1471
also found nothing
and doing a general internet search across atlassian.com:
site:atlassian.com CVE‑2023‑22523
found nothing,
and for:
site:atlassian.com CVE‑2022‑1471
only shows up:
Trivy vulnerabiltiy scan of atlassian/jira-softwar...
Where could I go next to find out what Jira versions are affected, please, and monitor for any patches to be released?
The email should have links to the relevant pages - see all the links and advisories on this page: https://confluence.atlassian.com/security/security-advisories-bulletins-1236937381.html
Ste
yeah the email had links; unfortunately they were broken. I replied back for updated links.
Thanks so much for the link you provided, I can see it references the two CVEs in question:
CVE-2023-22523 - RCE Vulnerability in Assets Discovery | Atlassian Support | Atlassian Documentation
and
that's very helpful, thank you @Ste Wright :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I checked the email and the links are there - but they do link to redirects!
I've let Atlassian know also :)
Ste
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Spend the day sharpening your skills in Atlassian Cloud Organization Admin or Jira Administration, then take the exam onsite. Already ready? Take one - or more - of 12 different certification exams while you’re in Anaheim at Team' 25.
Learn more
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.