Critical SQL Injection Vulnerability in PgJDBC Affects Atlassian Bamboo Data Center and Server (CVE-2024-1597)

Atlassian recently patched a critical vulnerability and 24 high-severity vulnerabilities, which were disclosed in the March 19 2024 Security Bulletin.

Importantly, the critical vulnerability, identified as CVE-2024-1597, affects the Atlassian Bamboo Data Center and Server and could allow SQL injection attacks without user interaction.

How Critical Is the Atlassian Bamboo Data Center and Server Vulnerability, CVE-2024-1597?

The critical SQL injection vulnerability, identified as CVE-2024-1597, carries a maximum CVSS score of 10.0. This vulnerability presents a severe threat to database security, potentially exposing and allowing tampering with critical data, including customer and corporate information.

According to Atlassian’s advisory, CVE-2024-1597 is found within a non-Atlassian Bamboo dependency, ‘org.postgresql:postgresql’. As Atlassian assessed the risk associated with this dependency to be relatively low, the company chose to disclose the vulnerability in its monthly Security Bulletin rather than a Critical Security Advisory.

As previously mentioned in another SOCRadar blog, this vulnerability affects the PostgreSQL JDBC Driver, commonly known as PgJDBC, which enables Java programs to establish connections to PostgreSQL databases.

How Can Attackers Exploit CVE-2024-1597?

The CVE-2024-1597 vulnerability occurs when the driver is used in a non-default configuration (PreferQueryMode=SIMPLE), making systems vulnerable to SQL injection attacks and potential database takeovers.

Atlassian warns that exploiting this vulnerability successfully could allow unauthenticated attackers to expose assets within your environment, posing a high risk to confidentiality, integrity, and availability, all without requiring user interaction.

To automate vulnerability monitoring across all of your components and assets, use SOCRadar’s Attack Surface Management (ASM) module. The platform delivers timely notifications for new security vulnerabilities and provides valuable insights to optimize patch prioritization procedures.

Which Atlassian Bamboo Data Center and Server Versions Are Affected by CVE-2024-1597?

The critical SQL injection vulnerability impacts the following PostgreSQL JDBC Driver versions:

• 42.7.2
• 42.6.1
• 42.5.5
• 42.4.4
• 42.3.9
• 42.2.28

According to Atlassian, CVE-2024-1597 was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server.

It is important to note that other Atlassian Data Center products remain unaffected by CVE-2024-1597 as they do not utilize the PreferQueryMode=SIMPLE setting in their configurations.

How to Secure Your Atlassian Bamboo Data Center and Server?

Update your instances to the most recent versions immediately to protect your Atlassian Bamboo Data Center and Server from exploitation. The Atlassian-provided fixed versions are listed below:

• For 9.5.0 to 9.5.1 → 9.5.2* or 9.6.0* (LTS)
• For 9.4.0 to 9.4.3, 9.3.0 to 9.3.6 → 9.5.2*, 9.4.4, or 9.6.0* (LTS)
• For 9.2.0 to 9.2.11 (LTS) → 9.5.2*, 9.4.4, 9.2.12 (LTS), or 9.6.0* (LTS)
• For 9.1.0 to 9.1.3, 9.0.0 to 9.0.4, 8.2.0 to 8.2.9 → 9.5.2*, 9.4.4, 9.2.12 (LTS), or 9.6.0* (LTS)
• For any earlier versions → 9.5.2*, 9.4.4, 9.2.12 (LTS), or 9.6.0* (LTS)

*Data Center Only

Numerous High-Severity Vulnerabilities Addressed in Atlassian’s March Security Bulletin

Atlassian’s March Security Bulletin addresses 24 high-severity vulnerabilities, with CVE-2024-21677 standing out with a severity score of 8.3. This path traversal vulnerability affects Confluence Data Center and Server, traced back to version 6.13.0.

Exploiting CVE-2024-21677 could enable unauthenticated attackers to compromise confidentiality, integrity, and availability; however, it necessitates user interaction.

Atlassian Data Center and Server versions that are affected by CVE-2024-21677 include 6.13.0, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, and 8.7.1.

Additional vulnerabilities, rated at 7.5, introduce risks like Denial-of-Service (DoS), Remote Code Execution (RCE), and SSRF (Server-Side Request Forgery) attacks. The CVE identifiers for these vulnerabilities and the affected Atlassian products are listed below:

• Bamboo Data Center and Server: CVE-2024-21634
• Bitbucket Data Center and Server: CVE-2024-21634
• Confluence Data Center and Server: CVE-2023-36478
• Jira Software Data Center and Server: CVE-2022-40150, CVE-2023-34455, CVE-2022-42890, CVE-2022-41704, CVE-2022-40146, CVE-2023-1436, CVE-2022-45685, CVE-2022-29546, CVE-2022-40149, CVE-2023-39410, CVE-2023-34454, CVE-2023-34453, CVE-2023-43642, CVE-2022-3509, CVE-2022-3171, CVE-2023-5072, CVE-2022-45688, CVE-2022-34169, CVE-2022-24839, CVE-2022-28366

For more information regarding these vulnerabilities, visit the Atlassian Security Bulletin.

Stay Updated on Vulnerabilities Across Atlassian and More with SOCRadar

The Vulnerability Intelligence module of SOCRadar provides broad details and the latest updates about vulnerabilities, including their lifecycle and exploit activity.

You can search for specific vendors and products on the SOCRadar XTI platform and obtain detailed information about associated CVEs.