Bundled JRE in Bitbucket 8.0+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919

h3. Issue Summary

Bitbucket 8.0 and above till Bitbucket 8.5 bundles OpenJDK 8u322

and

Bitbucket 8.6 and above till Bitbucket 8.15 bundles OpenJDK 11.0.21

which are vulnerable versions as per [OpenJDK advisory|https://openjdk.org/groups/vulnerability/advisories/2024-01-16].

The recommendation is to update Java to a version greater than 8u392 such as 8u393 and greater than 11.0.21 such as 11.0.22 in respective Bitbucket versions.

• A vulnerability that allows an attacker to execute arbitrary Java code
  from the javascript engine even though the option --no-java was set.
  (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)

h4. Steps to Reproduce:

Install Bitbucket and use the bundled JRE.
h3. Expected Results

The bundled JRE is not vulnerable to (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)
h3. Actual Results

The bundled JRE is vulnerable to CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945
h3. Workaround

Instead of using the JRE bundled with Bitbucket, Manually install a JRE 8u393 or above OR JRE 11.0.22 or above (depending upon your Bitbucket version) that includes fixes for the security vulnerabilities