Hey Folks - today we have another Security bulletin going live for March 2024!
Bamboo CVSS 10
A notable feature of this bulletin is we have a CVSS 10.0 - CRITICAL Listed: CVE-2024-1597 for Bamboo.
Please Note that this vulnerability is present in our monthly Security Bulletin instead of a Critical Security Advisory because NO ATLASSIAN Products are actually AFFECTED by this vulnerability. The exploit relies on a particular configuration of Postgres that is NOT utilized by Atlassian. If we had an "Atlassian Risk Score" it would essentially be 0.
> This unexploitable Critical severity vulnerability has a lower assessed risk by Atlassian, so it's disclosed in the Monthly Security Bulletin instead of a Critical Security Advisory. **Bamboo and other Atlassian Data Center products are unaffected by this vulnerability** as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.
LTS Releases
Various Atlassian products had new LTS major versions released last week. In this case, we have fresh new LTS major versions for Bamboo and Bitbucket. We have both listed in our "recommended" versions in the security bulletin this month.
Updates/Improvements
I also want to note that we have several CAC (Confluence.Atlassian.com) page visual changes queued for our site to make reading security bulletins (ESPECIALLY on Mobile) easier. These changes were on track to go out today alongside the bulletin but were sadly blocked. I'd expect to see this implemented in a few days. I apologize for being unable to update the March bulletin format. We should see a notable improvement in readability in future bulletins.
We also have a number of Vulnerability Disclosure Portal and API updates in the queue based on the great feedback from customers and the community post last month. I will share more details once they are released!
Once again, I am happy to answer any bulletin-related questions or feedback you might have.
9 comments