Bundled JRE in Bitbucket 8.0+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919

XMLWordPrintable

    • 1
    • Severity 3 - Minor
    • 1

      Issue Summary

      Bitbucket 8.0 and above till Bitbucket 8.5 bundles OpenJDK 8u322

      and

      Bitbucket 8.6 and above till Bitbucket 8.15 bundles OpenJDK 11.0.21

      which are vulnerable versions as per OpenJDK advisory.

      The recommendation is to update Java to a version greater than 8u392 such as 8u393 and greater than 11.0.21 such as 11.0.22 in respective Bitbucket versions.

      • A vulnerability that allows an attacker to execute arbitrary Java code
        from the javascript engine even though the option --no-java was set.
        (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

      Steps to Reproduce:

      Install Bitbucket and use the bundled JRE.

      Expected Results

      The bundled JRE is not vulnerable to (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

      Actual Results

      The bundled JRE is vulnerable to CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945

      Workaround

      Instead of using the JRE bundled with Bitbucket, Manually install a JRE 8u393 or above OR JRE 11.0.22 or above (depending upon your Bitbucket version) that includes fixes for the security vulnerabilities

            Assignee:
            Charanjith A C
            Reporter:
            Amit Singh
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: