Australian software company Atlassian released security updates to address a slew of high-risk vulnerabilities, all of which, if exploited, could lead to remote code execution.

The four RCE flaws and the list of impacted products are as follows:

CVE-2022-1471 (Automation for Jira app, including Server Lite edition) - a deserialization of untrusted data issue related to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system. Affected products include Bitbucket Data Center, Bitbucket Server, Confluence Data Center, Confluence Server, Confluence Cloud Migration App, Jira Core Data Center, Jira Core Server, Jira Service Management Data Center, Jira Service Management Server, Jira Software Data Center and Jira Software Server

CVE-2023-22522 (Confluence Data Center and Server) - a template injection issue due to improper input validation. A remote attacker (both authenticated and with anonymous access) can inject an unsafe user input into a Confluence page and execute arbitrary code on the target system. The affected products include Atlassian Confluence Server 4.0 - 8.5.3,-Confluence Data Center 4.0 - 8.7.0.

CVE-2023-22524 (Atlassian Companion App for MacOS) - an improper access control issue due to improper access restrictions. A remote attacker can trick the victim into visiting a specially crafted website and utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code. The flaw affects Atlassian Companion App for MacOS before 2.0.0.

CVE-2023-22523 (Assets Discovery app for Assets Discovery for Jira Service Management Cloud, Jira Service Management Server and Jira Service Management Data Center) - an insufficient verification of data authenticity due to insufficient verification of data authenticity in the agent application when communicating with the Assets Discovery application. A remote attacker can spoof the origin of the server application and execute arbitrary commands on the client system. Assets Discovery versions before 6.2.0 are affected.

While there is no evidence that any of the above-mentioned flaws have been exploited in the wild, given that Atlassian software is a very lucrative target for malicious actors, users are strongly advised to update their installations as soon as possible.