Atlassian has released patches for more than two dozen security flaws, including a critical bug affecting Bamboo Data Center and Server that could be exploited without requiring user interaction.
Tracked as CVE-2024-1597the vulnerability has a CVSS score of 10.0, indicating maximum severity.
Described as a SQL injection flaw, it is rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “has a lower assessed risk” despite the criticality.
“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose resources in the environment that are susceptible to exploitation, which has a high impact on confidentiality, a high impact on integrity, a high impact on availability, and requires no user interaction” , Atlassian said.
According to a description of the flaw in NIST’s National Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC driver, allows the attacker to inject SQL if it uses PreferQueryMode=SIMPLE.” Driver versions earlier than those listed below are affected:
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9 e
- 42.2.28 (also fixed in 42.2.28.jre7)
“SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has vulnerable SQL that denies the value of a parameter,” maintainers said in an advisory this month last.
“There is no vulnerability in the driver when using the default query mode. Users who do not override the query mode are not affected.”
The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server:
- 8.2.1
- 9.0.0
- 9.1.0
- 9.2.1
- 9.3.0
- 9.4.0 e
- 9.5.0
The company also highlighted that Bamboo and other Atlassian Data Center products are not affected by CVE-2024-1597 as they do not use PreferQueryMode=SIMPLE in their SQL database connection settings.
SonarSource security researcher Paul Gerste was credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect themselves from any threats.