This High severity RCE (Remote Code Execution) vulnerability was introduced in version 4.9.0 of Crucible Server.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an unauthenticated attacker to execute arbitrary code.

Atlassian recommends that Crucible Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

• Crucible Data Center and Server 4.9: Upgrade to a release greater than or equal to 4.9.10

See the release notes (https://confluence.atlassian.com/crucible/crucible-releases-298977378.html). You can download the latest version of Crucible Server from the download center (https://www.atlassian.com/software/crucible/download-archives).

The National Vulnerability Database provides the following description for this vulnerability: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.