VDB

CVE-2024-1597

CVE-2024-1597 PUBLISHED CVSS 10 CRITICAL

This unexploitable Critical severity vulnerability has a lower assessed risk by Atlassian, as a result it's disclosed in the Monthly Security Bulletin instead of a Critical Security Advisory. Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings. This Critical severity org.postgresql:postgresql Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server. This org.postgresql:postgresql Dependency vulnerability, with a CVSS Score of 10 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:   |Affected versions|Fixed versions| |from 9.5.0 to 9.5.1|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only| |from 9.4.0 to 9.4.3|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4| |from 9.3.0 to 9.3.6|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4| |from 9.2.0 to 9.2.11 (LTS)|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)| |from 9.1.0 to 9.1.3|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)| |from 9.0.0 to 9.0.4|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)| |from 8.2.0 to 8.2.9|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)| |Any earlier versions |9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)|     PLEASE NOTE: Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings. See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). The National Vulnerability Database provides the following description for this vulnerability: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

EPSS 0.35% · 57.8th percentile

Risk Scores

CVSS 3.1
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.35%
57.8th percentile

Affected Products

VendorProductVersions
AtlassianJira Software Data Center
AtlassianBamboo Data Center
AtlassianJira Software Server
AtlassianConfluence Data Center
AtlassianConfluence Server
AtlassianBamboo Server

Timeline

  • Feb 8, 2024 PoC Published
  • Feb 19, 2024 CVE Published
  • Feb 20, 2024 EPSS Score
  • Feb 21, 2024 CVE Updated
  • Mar 18, 2024 EPSS Score
  • May 10, 2024 EPSS Score
  • Jun 6, 2024 EPSS Score
  • Jul 3, 2024 EPSS Score
  • Aug 29, 2024 EPSS Score
  • Sep 25, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 22, 2024 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›