Advisory No: TZCERT/SA/2024/03/21-02
Date of First Release: 21st March 2024
Source: Atlassian
Software Affected: Bamboo Data Center and Bamboo Server
Overview:
Atlassian has released security patches to address a critical vulnerability affecting Bamboo Data Center and Bamboo Server. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability.
Description:
Bamboo Data Center and Server are affected with a critical vulnerability tracked as CVE-2024-1597. This vulnerability is the result of a flaw in pgjdbc, the PostgreSQL JDBC Driver which could allow attacker to inject SQL if using PreferQueryMode=SIMPLE. By constructing a matching string payload, the attacker can inject SQL to alter the query, bypassing the protections that parameterized queries bring against SQL Injection attacks.
Impact:
Successful exploitation of this vulnerability may allow the attacker to take control of the affected system.
Solution:
Atlassian has released patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.
References: