Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE‑2023‑22523 & CVE‑2022‑1471 : unable to find further information nor when a patch is released

PNG Jira Lead
PNG Jira Lead
Contributor
December 5, 2023

Atlassian has today emailed us alerting us to the following:

Jira Service Management Cloud, Data Center and Server
• CVE‑2023‑22523 – RCE vulnerability in Assets Discovery app
• CVE‑2022‑1471 – SnakeYAML library RCE vulnerability impacts multiple products (Data Center and Server only)

Jira Software and Jira Core Data Center and Server, Automation for Jira apps
• CVE-2022-1471 – SnakeYAML library RCE vulnerability impacts multiple products

 

However, doing the following searches at jira.atlassian.com

text ~ CVE‑2023‑22523

found nothing

 

For the next CVE:

text ~ CVE‑2022‑1471

also found nothing

 

and doing a general internet search across atlassian.com:

site:atlassian.com CVE‑2023‑22523

found nothing,

and for:

site:atlassian.com CVE‑2022‑1471

only shows up:

Trivy vulnerabiltiy scan of atlassian/jira-softwar...

 

Where could I go next to find out what Jira versions are affected, please, and monitor for any patches to be released?

Answer
Watch
Like Be the first to like this
795 views

1 answer

1 accepted

2 votes
Answer accepted
Ste Wright
Ste Wright
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 5, 2023

Hi @PNG Jira Lead 

The email should have links to the relevant pages - see all the links and advisories on this page: https://confluence.atlassian.com/security/security-advisories-bulletins-1236937381.html

Ste

View More Comments
PNG Jira Lead
PNG Jira Lead
Contributor
December 5, 2023

yeah the email had links; unfortunately they were broken.  I replied back for updated links.

Thanks so much for the link you provided, I can see it references the two CVEs in question:

CVE-2023-22523 - RCE Vulnerability in Assets Discovery | Atlassian Support | Atlassian Documentation

and

CVE-2022-1471 - SnakeYAML library RCE Vulnerability In Multiple Products | Atlassian Support | Atlassian Documentation

that's very helpful, thank you @Ste Wright :)

Like
Ste Wright
Ste Wright
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 5, 2023

Hi @PNG Jira Lead 

I checked the email and the links are there - but they do link to redirects!

I've let Atlassian know also :)

Ste

Like PNG Jira Lead likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events