7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.2 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
37.3%
h3. Issue Summary
Bitbucket 8.0 and above till Bitbucket 8.5 bundles OpenJDK 8u322
and
Bitbucket 8.6 and above till Bitbucket 8.15 bundles OpenJDK 11.0.21
which are vulnerable versions as per [OpenJDK advisory|https://openjdk.org/groups/vulnerability/advisories/2024-01-16].
The recommendation is to update Java to a version greater than 8u392 such as 8u393 and greater than 11.0.21 such as 11.0.22 in respective Bitbucket versions.
h4. Steps to Reproduce:
Install Bitbucket and use the bundled JRE.
h3. Expected Results
The bundled JRE is not vulnerable to (CVE-2024-20918) (CVE-2024-20919, CVE-2024-20921, CVE-2024-20945)
h3. Actual Results
The bundled JRE is vulnerable to CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945
h3. Workaround
Instead of using the JRE bundled with Bitbucket, Manually install a JRE 8u393 or above OR JRE 11.0.22 or above (depending upon your Bitbucket version) that includes fixes for the security vulnerabilities
CPE | Name | Operator | Version |
---|---|---|---|
bitbucket data center | le | 8.0.0 | |
bitbucket data center | lt | 8.9.17 | |
bitbucket data center | lt | 8.19.6 |
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.2 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
37.3%