Warning

This is a public space:

For the draft, please restrict the page during creation and
remove this warning when page is published

English
Contents
German
Inhalte

French
Contenu

Table of Contents

Page properties

Date	06 Dec 2023
Product	Atlassian Server and Data Center Confluence Data Center and Server Jira Software Data Center and Server Jira Service Management Data Center and Server Jira Core Data Center and Server Bitbucket Data Center and Server Atlassian Server and Data Center 3rd-party Apps Confluence Cloud Migration App (CCMA) Automation for Jira (A4J) app (including Server Lite edition) Assets Discovery (stand-alone app) Atlassian Cloud Jira Service Management Cloud → Assets Discovery (stand-alone app)
Vulnerability	Critical
CVE	CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523
Official link	https:// atlassianpartners confluence.atlassian. net com/ wiki/spaces/news/blog/2023/12/04/368808312/Advanced+Notice+RCE+Vulnerabilities+Identified+in+Multiple+Products+-+December+6+2023 needs to be replacedsecurity/december-2023-security-advisories-overview-1318892103.html

Multiple Products Security Advisory - CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523

Affected versions CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Fixed Versions

English

Dear customer,

On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for it's its on-premise software products, the Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise.

What you need to know

Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances.

Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products

Product	Affected Versions
Confluence Data Center and Server	6.13.x 6.14.x 6.15.x 7.0.x 7.1.x 7.2.x 7.3.x 7.4.x 7.5.x 7.6.x 7.7.x 7.8.x 7.9.x 7.10.x 7.11.x 7.12.x 7.13.0 7.13.1 7.13.2 7.13.3 7.13.4 7.13.5 7.13.6 7.13.7 7.13.8 7.13.9 7.13.10 7.13.11 7.13.12 7.13.13 7.13.14 7.13.15 7.13.16 7.13.17 7.14.x 7.15.x 7.16.x 7.17.x 7.18.x 7.19.0 7.19.1 7.19.2 7.19.3 7.19.4 7.19.5 7.19.6 7.19.7 7.19.8 7.19.9 7.20.x 8.0.x 8.1.x 8.2.x 8.3.0
Jira Software Data Center and Server	9.4.0 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.4.10 9.4.11 9.4.12 9.5.x 9.6.x 9.7.x 9.8.x 9.9.x 9.10.x 9.11.0 9.11.1
Jira Service Management Data Center and Server	5.4.0 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.4.10 5.4.11 5.4.12 5.5.x 5.6.x 5.7.x 5.8.x 5.9.x 5.10.x 5.11.0 5.11.1
Jira Core Data Center and Server	9.4.0 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.4.10 9.4.11 9.4.12 9.5.x 9.6.x 9.7.x 9.8.x 9.9.x 9.10.x 9.11.0 9.11.1
Bitbucket Data Center and Server	7.17.x 7.18.x 7.19.x 7.20.x 7.21.0 7.21.1 7.21.2 7.21.3 7.21.4 7.21.5 7.21.6 7.21.7 7.21.8 7.21.9 7.21.10 7.21.11 7.21.12 7.21.13 7.21.14 7.21.15 8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.x 8.6.x 8.7.x 8.8.0 8.8.1 8.8.2 8.8.3 8.8.4 8.8.5 8.8.6 8.9.0 8.9.1 8.9.2 8.9.3 8.10.0 8.10.1 8.10.2 8.10.3 8.11.0 8.11.1 8.11.2 8.12.0
Confluence Cloud Migration App (CCMA)	Plugin versions lower than 3.4.0.
Automation for Jira (A4J) app (including Server Lite edition)	9.0.1 9.0.0 <= 8.2.2

Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

Product	Affected Versions
Confluence Data Center and Server	4.

0

x.

0

x

7

5.

20

x.

0

x

8

6.

0

x.

0

8.6.0

Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Product

Affected Versions

Assets Discovery (Jira Service Management Cloud)

Insight Discovery 1.0 - 3.1.3
Assets Discovery 3.1.4 - 3.1.7
Assets Discovery 3.1.8-cloud - 3.1.11-cloud

Assets Discovery (Jira Service Management Data Center and Server)

Insight Discovery 1.0 - 3.1.7
Assets Discovery 3.1.9 - 3.1.11
Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Product

Affected Versions

Atlassian Companion App for MacOS

All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket.

Product	Fixed Versions
Confluence Data Center and Server	7.19.17 (LTS) 8.4.5 8.5.4 (LTS) 8.6.2 8.7.0
Jira Software Data Center and Server	9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
Jira Service Management Data Center and Server	5.11.2 5.12.0 (LTS) 5.4.13 (LTS)
Jira Core Data Center and Server	9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
Bitbucket Data Center and Server	7.21.16 (LTS) 8.10.4 8.11.3 8.12.1 8.13.0 8.8.7 8.9.4 (LTS)
Confluence Cloud Migration App (CCMA)	3.4.0
Automation for Jira (A4J) app (including Server Lite edition)	9.0.2 8.2.4
Assets Discovery (Jira Service Management Cloud)	Assets Discovery 3.2.0-cloud or later
Assets Discovery (Jira Service Management Data Center and Server)	Assets Discovery 6.2.0 or later
Atlassian Companion App for MacOS	2.0.0

What should I do? - On-Premise Products

Localtab Group

Localtab

active	true
title	Server & Data Center
tabIcon	bvicon-server

You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update

Update to a version listed in Fixed Versions.

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket.

Workaround

There are currently no workarounds.

Localtab

title	Cloud
tabIcon	bvicon-cloud

You use Assets Discovery (standalone app) in Jira Service Management Cloud

Note
Update to Assets Discovery 3.2.0-cloud or later

If you don't use Assets Discovery (standalone app) you are not affected by the vulnerability.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo.

Update

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update.

Workaround

There are currently no workarounds.

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

German

Dear customer,

On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for it's on-premise software products, Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise.

What you need to know

Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances.

Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products

Product

Affected Versions

Confluence Data Center and Server

6.13.x
6.14.x
6.15.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.5.x
7.6.x
7.7.x
7.8.x
7.9.x
7.10.x
7.11.x
7.12.x
7.13.0
7.13.1
7.13.2
7.13.3
7.13.4
7.13.5
7.13.6
7.13.7
7.13.8
7.13.9
7.13.10
7.13.11
7.13.12
7.13.13
7.13.14
7.13.15
7.13.16
7.13.17
7.14.x
7.15.x
7.16.x
7.17.x
7.18.x
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.19.8
7.19.9
7.20.x
8.0.x
8.1.x
8.2.x
8.3.0

Jira Software Data Center and Server

9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1

Jira Service Management Data Center and Server

5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.x
5.6.x
5.7.x
5.8.x
5.9.x
5.10.x
5.11.0
5.11.1

Jira Core Data Center and Server

9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1

Bitbucket Data Center and Server

7.17.x
7.18.x
7.19.x
7.20.x
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.21.8
7.21.9
7.21.10
7.21.11
7.21.12
7.21.13
7.21.14
7.21.15
8.0.x
8.1.x
8.2.x
8.3.x
8.4.x
8.5.x
8.6.x
8.7.x
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.10.0
8.10.1
8.10.2
8.10.3
8.11.0
8.11.1
8.11.2
8.12.0

Confluence Cloud Migration App (CCMA)

Plugin versions lower than 3.4.0.

Automation for Jira (A4J) app (including Server Lite edition)

9.0.1
9.0.0
<= 8.2.2

Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

Product

Affected Versions

Confluence Data Center and Server

4.0.0
7.20.0
8.0.0
8.6.0

x 7.x.x 8.0.x 8.1.x 8.2.x 8.3.x 8.4.0 8.4.1 8.4.2 8.4.3 8.4.4 8.5.0 8.5.1 8.5.2 8.5.3
Confluence Data Center	8.6.0 8.6.1

Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Product

Affected Versions

Assets Discovery (Jira Service Management Cloud)

Insight Discovery 1.0 - 3.1.3
Assets Discovery 3.1.4 - 3.1.7
Assets Discovery 3.1.8-cloud - 3.1.11-cloud

Assets Discovery (Jira Service Management Data Center and Server)

Insight Discovery 1.0 - 3.1.7
Assets Discovery 3.1.9 - 3.1.11
Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Affected versions CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Product

Affected Versions

Atlassian Companion App for MacOS

All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.

Fixed Versions

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket.

Product	Fixed Versions
Confluence Data Center and Server	7.19.17 (LTS) 8.4.5 8.5.4 (LTS) 8.6.2 8.7.0
Jira Software Data Center and Server	9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
Jira Service Management Data Center and Server	5.11.2 5.12.0 (LTS) 5.4.13 (LTS)
Jira Core Data Center and Server	9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
Bitbucket Data Center and Server	7.21.16 (LTS) 8.10.4 8.11.3 8.12.1 8.13.0 8.8.7 8.9.4 (LTS)
Confluence Cloud Migration App (CCMA)	3.4.0
Automation for Jira (A4J) app (including Server Lite edition)	9.0.2 8.2.4
Assets Discovery (Jira Service Management Cloud)	Assets Discovery 3.2.0-cloud or later
Assets Discovery (Jira Service Management Data Center and Server)	Assets Discovery 6.2.0 or later
Atlassian Companion App for MacOS	2.0.0

What should I do? - On-Premise Products

Localtab Group

Localtab

active	true
title	Server & Data Center
tabIcon	bvicon-server

You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update

Update to a version listed in Fixed Versions.

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket.

Workaround

There are currently no workarounds.

Localtab

title	Cloud
tabIcon	bvicon-cloud

You use Assets Discovery (standalone app) in Jira Service Management Cloud

Note
Update to Assets Discovery 3.2.0-cloud or later

If you don't use Assets Discovery (standalone app) you are not affected by the vulnerability.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo.

Update

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update.

Workaround

There are currently no workarounds.

Support

Wenn Sie noch Fragen oder Bedenken zu diesem Advisory haben, wenden Sie sich bitte an den bitvoodoo Support via support@bitvoodoo.ch oder support.bitvoodoo.ch.

French

Dear customer,

On the 6th of December 2023, 12am EST, Atlassian issued four Security Advisories for it's on-premise software products, Confluence Cloud Migration App, and the Assets Discovery (stand-alone app) for Cloud and on-premise.

What you need to know

Atlassian has discovered four critical vulnerabilities impacting customers of the products listed below. All four vulnerabilities carry a critical CVSS score of 9.0 or higher, and customers must take immediate action to protect their instances.

Affected versions CVE-2022-1471 - SnakeYAML library RCE Vulnerability Impacts Multiple Products

Product

Affected Versions

Confluence Data Center and Server

6.13.x
6.14.x
6.15.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.5.x
7.6.x
7.7.x
7.8.x
7.9.x
7.10.x
7.11.x
7.12.x
7.13.0
7.13.1
7.13.2
7.13.3
7.13.4
7.13.5
7.13.6
7.13.7
7.13.8
7.13.9
7.13.10
7.13.11
7.13.12
7.13.13
7.13.14
7.13.15
7.13.16
7.13.17
7.14.x
7.15.x
7.16.x
7.17.x
7.18.x
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.19.8
7.19.9
7.20.x
8.0.x
8.1.x
8.2.x
8.3.0

Jira Software Data Center and Server

9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1

Jira Service Management Data Center and Server

5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.x
5.6.x
5.7.x
5.8.x
5.9.x
5.10.x
5.11.0
5.11.1

Jira Core Data Center and Server

9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.5.x
9.6.x
9.7.x
9.8.x
9.9.x
9.10.x
9.11.0
9.11.1

Bitbucket Data Center and Server

7.17.x
7.18.x
7.19.x
7.20.x
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.21.8
7.21.9
7.21.10
7.21.11
7.21.12
7.21.13
7.21.14
7.21.15
8.0.x
8.1.x
8.2.x
8.3.x
8.4.x
8.5.x
8.6.x
8.7.x
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.9.0
8.9.1
8.9.2
8.9.3
8.10.0
8.10.1
8.10.2
8.10.3
8.11.0
8.11.1
8.11.2
8.12.0

Confluence Cloud Migration App (CCMA)

Plugin versions lower than 3.4.0.

Automation for Jira (A4J) app (including Server Lite edition)

9.0.1
9.0.0
<= 8.2.2

Affected versions CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server

Product

Affected Versions

Confluence Data Center and Server

4.0.0

7.20.0

8.0.0

8.6.0

Affected Versions CVE-2023-22523 - RCE Vulnerability in Assets Discovery (stand-alone app)

Product	Affected Versions
Assets Discovery (Jira Service Management Cloud)	Insight Discovery 1.0 - 3.1.3 Assets Discovery 3.1.4 - 3.1.7 Assets Discovery 3.1.8-cloud - 3.1.11-cloud
Assets Discovery (Jira Service Management Data Center and Server)	Insight Discovery 1.0 - 3.1.7 Assets Discovery 3.1.9 - 3.1.11 Assets Discovery 6.0.0 - 6.1.14, 6.1.14-jira-dc-8

Affected versions CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Product	Affected Versions
Atlassian Companion App for MacOS	All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.

Fixed Versions

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence, and Bitbucket.

Product	Fixed Versions
Confluence Data Center and Server	7.19.17 (LTS) 8.4.5 8.5.4 (LTS) 8.6.2 or later (Data Center Only) 8.7.0 or later (Data Center Only)
Jira Software Data Center and Server	9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
Jira Service Management Data Center and Server	5.11.2 5.12.0 (LTS) 5.4.

13

14 (LTS)
Jira Core Data Center and Server	9.11.2 9.12.0 (LTS) 9.4.13 (LTS)
Bitbucket Data Center and Server	7.21.16 (LTS) 8.8.7 8.9.4 (LTS) 8.10.4 8.11.3 8.12.1 8.13.0 8.14.0 8.

8.7

15.0 (Data Center Only)
8.

9

16.

4

0 (

LTS

Data Center Only)
Confluence Cloud Migration App (CCMA)	3.4.0
Automation for Jira (A4J) app (including Server Lite edition)	9.0.2 8.2.4
Assets Discovery (Jira Service Management Cloud)	Assets Discovery 3.2.0-cloud or later
Assets Discovery (Jira Service Management Data Center and Server)	Assets Discovery 6.2.0 or later
Atlassian Companion App for MacOS	2.0.0 or later

What should I do? - On-Premise Products

Localtab Group

Localtab

active	true
title	Server & Data Center
tabIcon	bvicon-server

You use the Server or Data Center variant of any Atlassian application in a version listed in Affected Versions.

Update for Server & Data Center

Update to a version listed in Fixed Versions.

Note
bitvoodoo recommends using the latest LTS releases of Jira, Confluence and Bitbucket.

Workaround for Server & Data Center

There are currently no workarounds.

Localtab

title	Cloud
tabIcon	bvicon-cloud

You use Assets Discovery (standalone app) in Jira Service Management Cloud

Note
Update to Assets Discovery 3.2.0-cloud or later

If you don't use Assets Discovery (standalone app) you are not affected by the vulnerability.

Localtab

title	bitvoodoo Cloud
tabIcon	bvicon-cloud

You use Jira, Confluence or Bitbucket Server or Data Center hosted with bitvoodoo.

Update for bitvoodoo Cloud

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

bitvoodoo Cloud customers who do not have an LTS update package will be contacted by bitvoodoo in the coming days for coordination for an update.

Workaround for bitvoodoo Cloud

There are currently no workarounds.

Support

Si vous avez des questions concernant cette faille de sécurité, veuillez contact le support de bitvoodoo par support@bitvoodoo.ch ou If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.

Versions Compared

Old Version 5

New Version Current

Key

Multiple Products Security Advisory - CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523

Fixed Versions

What you need to know

What should I do? - On-Premise Products

Update

Workaround

Update

Workaround

What you need to know

Fixed Versions

What should I do? - On-Premise Products

Update

Workaround

Update

Workaround

What you need to know

Fixed Versions

What should I do? - On-Premise Products

Update for Server & Data Center

Workaround for Server & Data Center

Update for bitvoodoo Cloud

Workaround for bitvoodoo Cloud

Pages

Recently updated

Favourite Pages

Page History

Versions Compared

Old Version 5

New Version Current

Key

Multiple Products Security Advisory - CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523

What you need to know

Fixed Versions

What should I do? - On-Premise Products

Update

Workaround

Update

Workaround

What you need to know

Fixed Versions

What should I do? - On-Premise Products

Update

Workaround

Update

Workaround

What you need to know

Fixed Versions

What should I do? - On-Premise Products

Update for Server & Data Center

Workaround for Server & Data Center

Update for bitvoodoo Cloud

Workaround for bitvoodoo Cloud

Pages

Recently updated

Favourite Pages