Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-19386

Bundled JRE in Bitbucket 8.16+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919

    XMLWordPrintable

Details

    Description

      Issue Summary

      Bitbucket 8.16 and above bundles OpenJDK 17.0.9 which is vulnerable as per OpenJDK advisory. .The recommendation is to update Java to a version greater than 17.0.9 such as 17.0.10.

      • A vulnerability that allows an attacker to execute arbitrary java code
        from the javascript engine even though the option --no-java was set.
        (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

      Steps to Reproduce:

      Install Bitbucket and use the bundled JRE.

      Expected Results

      The bundled JRE is not vulnerable to (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

      Actual Results

      The bundled JRE is vulnerable to CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945

      Workaround

      Instead of using the JRE bundled with Bitbucket, Manually install a JRE 17.0.10 or above that includes fixes for the security vulnerabilities

      Attachments

        Activity

          People

            Unassigned Unassigned
            3833708f677e Prashant Mulya
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: