Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Fix
Priority: Medium
Fix Version/s: None
Affects Version/s: 8.16.0
Component/s: Security - Advisories, Security - Other
Labels:

Support reference count:
2
Symptom Severity:
Severity 3 - Minor
UIS:
0

Issue Summary

Bitbucket 8.16 and above bundles OpenJDK 17.0.9 which is vulnerable as per OpenJDK advisory. .The recommendation is to update Java to a version greater than 17.0.9 such as 17.0.10.

A vulnerability that allows an attacker to execute arbitrary java code
from the javascript engine even though the option --no-java was set.
(CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

Steps to Reproduce:

Install Bitbucket and use the bundled JRE.

Expected Results

The bundled JRE is not vulnerable to (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

Actual Results

The bundled JRE is vulnerable to CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945

Workaround

Instead of using the JRE bundled with Bitbucket, Manually install a JRE 17.0.10 or above that includes fixes for the security vulnerabilities

is related to

BSERV-19457 Bundled JRE in Bitbucket 8.0+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919

Closed

Assignee:: Unassigned
Reporter:: Prashant Mulya
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: 22/Apr/2024 6:45 AM
Updated:: 21/Jul/2024 10:00 AM
Resolved:: 18/Jul/2024 4:39 AM

Details

Description

Issue Summary

Steps to Reproduce:

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Activity

People

Dates