Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
8.16.0
-
1
-
Severity 3 - Minor
-
0
-
Description
Issue Summary
Bitbucket 8.16 and above bundles OpenJDK 17.0.9 which is vulnerable as per OpenJDK advisory. .The recommendation is to update Java to a version greater than 17.0.9 such as 17.0.10.
- A vulnerability that allows an attacker to execute arbitrary java code
from the javascript engine even though the option --no-java was set.
(CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)
Steps to Reproduce:
Install Bitbucket and use the bundled JRE.
Expected Results
The bundled JRE is not vulnerable to (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)
Actual Results
The bundled JRE is vulnerable to CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945
Workaround
Instead of using the JRE bundled with Bitbucket, Manually install a JRE 17.0.10 or above that includes fixes for the security vulnerabilities