SB2023120633 - Remote code execution in Atlassian Assets Discovery
Published: December 6, 2023 Updated: March 22, 2024
Security Bulletin ID
SB2023120633
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2023-22523)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient verification of data authenticity in the agent application when communicating with the Assets Discovery application. A remote attacker can spoof origin of the server application and execute arbitrary commands on the client system.
Remediation
Install update from vendor's website.
References
- https://jira.atlassian.com/browse/JSDSERVER-14893
- https://support.atlassian.com/jira-service-management-cloud/docs/install-asset-discovery-agents/
- https://support.atlassian.com/jira-service-management-cloud/docs/what-are-asset-discovery-agents/
- https://confluence.atlassian.com/security/cve-2023-22523-remote-code-execution-vulnerability-in-assets-discovery-1319248914.html
- https://confluence.atlassian.com/security/cve-2023-22523-rce-vulnerability-in-assets-discovery-1319248914.html
- https://jira.atlassian.com/browse/JSDSERVER-14925