In this week's Security Advisory
Atlassian released security updates to fix twenty-five (25) vulnerabilities impacting Confluence, Jira, Bitbucket servers, and Bamboo servers. The highest severity is a critical flaw identified as CVE-2024-1597, rated with a CVSS score of 10 out of a possible 10. Exploiting this vulnerability could enable unauthorized access to internal environments, circumvent security measures and allow malicious code to be executed for nefarious purposes. Please note that Atlassian Cloud sites are not affected at this time.
Because Atlassian products are a favorable target for attackers, organizations should implement patches for the software as soon as possible.
More Reading/Information
WordPress has identified a critical vulnerability, tracked as CVE-2024-2172 with a CVSS score of 9.8 out of 10, affecting the miniOrange malware scanner and web application firewall plugins. The miniOrange malware scanner plugin is an open-source application designed to detect malware infections and potentially harmful scripts on websites. The miniOrange Web Application Firewall plugin is capable of monitoring and blocking suspicious incoming traffic. CVE-2024-2172 is an exploit that applies to both plugins, allowing an attacker to gain administrator privileges. With an elevated credential, a threat actor is able to access anything on a website including modifications to a page or uploading additional malicious payloads.
Versions Affected:
More Reading/Information
New threat intel indicates that a Proof-of-Concept (POC) has been publicly published for the critical FileCatalyst Transfer Tool vulnerability. Although this vulnerability has been discovered and patched in August 2023, a CVE for this flaw has finally been registered and is being tracked as CVE-2024-25153 with a CVSS score of 9.8 out of a possible 10. With the POC made public, exploit attempts are expected to occur on any unpatched FileCatalyst Transfer Tool.
Affected Versions:
More Reading/Information
There were security updates released by Google Chrome Desktop Browser and Mozilla to address several vulnerabilities in each product.
Google released a security update to fix twelve (12) vulnerabilities in its Chrome Desktop Browser for Windows, Mac, and Linux with one (1) receiving a severity rating of "high".
Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of thirty-two (32) vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird, with one (1) receiving a severity rating of "critical." These affect Firefox versions prior to 124, Firefox ESR versions prior to 115.9, and Thunderbird versions prior to 115.9.
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.