-
Type:
Public Security Vulnerability
-
Resolution: Fixed
-
Priority:
High
-
Affects Version/s: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9
-
Component/s: None
-
8.9
-
High
-
CVE-2026-5598
-
Atlassian (Internal)
-
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/S:P/AU:Y/U:Red
-
Crucible Data Center, Crucible Server
This High severity Covert timing channel vulnerability was introduced in version 4.9.0 of Crucible Server.
Atlassian recommends that Crucible Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Crucible Data Center and Server 4.9: Upgrade to a release greater than or equal to 4.9.10
See the release notes (https://confluence.atlassian.com/crucible/crucible-releases-298977378.html). You can download the latest version of Crucible Data Center and Server from the download center (https://www.atlassian.com/software/crucible/download-archives).
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.84.