Atlassian has issued updates to address over two dozen security vulnerabilities across its product suite, with a particular emphasis on a critical flaw found within Bamboo Data Center and Server. This flaw, assigned the identifier CVE-2024-1597, stands out due to its potential for exploitation without any user interaction, possessing a Common Vulnerability Scoring System (CVSS) rating of 10.0 – the highest severity score.
Vulnerability Details:
The critical vulnerability is an SQL injection flaw that stems from a dependency on org.postgresql:postgresql. Despite the high criticality of this flaw, Atlassian assesses the risk as lower due to the specific circumstances under which the vulnerability can be exploited. CVE-2024-1597 allows unauthenticated attackers to perform SQL injection attacks, posing significant risks to the confidentiality, integrity, and availability of assets within the affected environment.
Affected Versions:
The vulnerability impacts the following versions of Bamboo Data Center and Server:
- 8.2.1
- 9.0.0
- 9.1.0
- 9.2.1
- 9.3.0
- 9.4.0
- 9.5.0
Atlassian clarifies that Bamboo and other Atlassian Data Center products are not affected by CVE-2024-1597, as they do not utilize the PreferQueryMode=SIMPLE setting in their SQL database connection configurations.
Driver Impact:
The underlying issue is attributed to the PostgreSQL JDBC Driver (pgjdbc), where SQL injection is feasible if the PreferQueryMode=SIMPLE setting is used alongside application code vulnerable to SQL injection through parameter negation. The driver versions impacted include:
- Prior to 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9
- 42.2.28 (and 42.2.28.jre7)
It is important to note that the default query mode of the driver does not introduce this vulnerability, and users who have not altered the query mode setting remain unaffected.
Mitigation and Recommendations:
Organizations running affected versions of Bamboo Data Center and Server are urged to apply the provided patches immediately to mitigate the risk posed by CVE-2024-1597. Additionally, reviewing and updating the PostgreSQL JDBC Driver to the latest non-vulnerable versions is recommended for those who might be indirectly affected through the use of the PreferQueryMode=SIMPLE setting.
Conclusion:
The patching of CVE-2024-1597 by Atlassian underscores the critical importance of maintaining up-to-date software and dependencies to protect against potential cybersecurity threats. Organizations are advised to regularly audit and update their software infrastructure to defend against the exploitation of newly discovered vulnerabilities.
