PT-2023-7936 · Atlassian+5 · Bitbucket+7

Yakov Shafranovich

·

Publicado

2023-11-29

·

Atualizado

2026-05-20

·

CVE-2023-6378

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions logback version 1.4.11 Confluence Data Center and Server versions from 6.0.1 to 8.7.1 Confluence Data Center and Server versions from 8.7.0 to 8.7.1 Confluence Data Center versions from 8.6.0 to 8.6.2 Confluence Data Center versions from 8.5.0 to 8.5.4 LTS Confluence Data Center versions from 8.4.0 to 8.4.5 Confluence Data Center versions from 8.3.0 to 8.3.4 Confluence Data Center versions from 8.2.0 to 8.2.3 Confluence Data Center versions from 8.1.0 to 8.1.4 Confluence Data Center versions from 8.0.0 to 8.0.4 Confluence Data Center versions from 7.20.0 to 7.20.3 Confluence Data Center versions from 7.19.0 to 7.19.17 LTS Confluence Data Center versions from 7.18.0 to 7.18.3 Confluence Data Center versions from 7.17.0 to 7.17.5 Confluence Server versions from 8.5.0 to 8.5.4 LTS Confluence Server versions from 8.4.0 to 8.4.5 Confluence Server versions from 8.3.0 to 8.3.4 Confluence Server versions from 8.2.0 to 8.2.3 Confluence Server versions from 8.1.0 to 8.1.4 Confluence Server versions from 8.0.0 to 8.0.4 Confluence Server versions from 7.20.0 to 7.20.3 Confluence Server versions from 7.19.0 to 7.19.17 LTS Confluence Server versions from 7.18.0 to 7.18.3 Confluence Server versions from 7.17.0 to 7.17.5 Bitbucket Data Center and Server versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0
Description A serialization vulnerability in the logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This issue is only exploitable if the logback receiver component is deployed.
Recommendations For logback version 1.4.11, consider disabling the logback receiver component until a patch is available. For Confluence Data Center and Server versions from 6.0.1 to 8.7.1, upgrade to the latest version or one of the specified supported fixed versions. For Confluence Data Center versions from 8.6.0 to 8.6.2, upgrade to version 8.8.0 or later. For Confluence Data Center versions from 8.5.0 to 8.5.4 LTS, upgrade to version 8.8.0, 8.5.5 LTS, or 8.5.6 LTS. For Confluence Data Center versions from 8.4.0 to 8.4.5, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.3.0 to 8.3.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.2.0 to 8.2.3, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.1.0 to 8.1.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.0.0 to 8.0.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 7.20.0 to 7.20.3, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 7.19.0 to 7.19.17 LTS, upgrade to version 8.8.0, 8.5.6 LTS, 7.19.18 LTS, or 7.19.19 LTS. For Confluence Data Center versions from 7.18.0 to 7.18.3, upgrade to version 8.8.0, 8.5.6 LTS, or 7.19.19 LTS. For Confluence Data Center versions from 7.17.0 to 7.17.5, upgrade to version 8.8.0, 8.5.6 LTS, or 7.19.19 LTS. For Confluence Server versions from 8.5.0 to 8.5.4 LTS, upgrade to version 8.5.5 LTS or 8.5.6 LTS. For Confluence Server versions from 8.4.0 to 8.4.5, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.3.0 to 8.3.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.2.0 to 8.2.3, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.1.0 to 8.1.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.0.0 to 8.0.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 7.20.0 to 7.20.3, upgrade to version 8.5.6 LTS. For Confluence Server versions from 7.19.0 to 7.19.17 LTS, upgrade to version 8.5.6 LTS, 7.19.18 LTS, or 7.19.19 LTS. For Confluence Server versions from 7.18.0 to 7.18.3, upgrade to version 8.5.6 LTS or 7.19.19 LTS. For Confluence Server versions from 7.17.0 to 7.17.5, upgrade to version 8.5.6 LTS or 7.19.19 LTS. For Bitbucket Data Center and Server versions 7.21.0, upgrade to a release greater than or equal to 7.21.19. For Bitbucket Data Center and Server versions 8.9.0, upgrade to a release greater than or equal to 8.9.9. For Bitbucket Data Center and Server versions 8.13.0, upgrade to a release greater than or equal to 8.13.5. For Bitbucket Data Center and Server versions 8.14.0, upgrade to a release greater than or equal to 8.14.4. For Bitbucket Data Center versions 8.15.0, upgrade to a release greater than or equal to 8.15.3. For Bitbucket Data Center versions 8.16.0, upgrade to a release greater than or equal to 8.16.2.

Correção

DoS

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

BDU:2023-09017
CLEANSTART-2026-CI66802
CVE-2023-6378
GHSA-VMQ6-5M68-F53M
OESA-2023-1946
OPENSUSE-SU-2025:15597-1
USN-7616-1

Produtos afetados

Astra Linux
Bitbucket
Bitbucket Server
Confluence
Debian
Linuxmint
Red Os
Ubuntu