Atlassian has issued patches addressing more than twenty security vulnerabilities, including a critical bug affecting Bamboo Data Center and Server. This critical flaw, identified as CVE-2024-1597, carries a maximum CVSS score of 10.0 and poses a significant risk due to its potential exploitation without requiring user interaction.
The vulnerability, categorized as an SQL injection flaw, is associated with a dependency named org.postgresql:postgresql. Despite being described as a dependency vulnerability, Atlassian warns that it presents a substantial risk, as it could enable unauthenticated attackers to expose assets within the environment, leading to severe impacts on confidentiality, integrity, and availability.
According to the National Vulnerability Database (NVD), the flaw in the PostgreSQL JDBC Driver, identified as “pgjdbc,” allows attackers to inject SQL queries when using PreferQueryMode=SIMPLE. The impacted driver versions include 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 (also fixed in 42.2.28.jre7).
The vulnerability arises when utilizing the non-default connection property preferQueryMode=simple alongside vulnerable SQL code that negates a parameter value. However, the maintainers clarify that there’s no vulnerability in the driver when using the default query mode, and users who do not override the query mode remain unaffected.
The affected versions of Bamboo Data Center and Server where the vulnerability is present include 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0. Atlassian assures that Bamboo and other Data Center products are not impacted by CVE-2024-1597, as they do not utilize PreferQueryMode=SIMPLE in their SQL database connection settings.
The flaw was discovered and reported by security researcher Paul Gerste from SonarSource. Atlassian urges users to update their instances to the latest version promptly to mitigate any potential threats posed by this vulnerability.
