Cowtowncoder

**Name of the Vulnerable Software and Affected Versions** FasterXML jackson-databind versions 2.4.0-rc1 through 2.12.7.1 FasterXML jackson-databind versions 2.13.x through 2.13.4.1 Bamboo Data Center and Server versions 9.1.0 through 9.2.4 Bamboo Data Center and Server versions 9.3.0 through 9.3.2 Bitbucket Data Center and Server versions 7.17.0 through 7.21.13 Bitbucket Data Center and Server versions 8.7.0 through 8.9.3 Bitbucket Data Center and Server versions 8.10.0 through 8.10.3 Bitbucket Data Center and Server versions 8.11.0 through 8.11.2 Bitbucket Data Center and Server versions 8.12.0 through 8.12.0 Bitbucket Data Center and Server versions 8.13.0 through 8.13.0 **Description** The issue is related to resource exhaustion due to a lack of a check in primitive value deserializers to avoid deep wrapper array nesting when the UNWRAP SINGLE VALUE ARRAYS feature is enabled. This can allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction. **Recommendations** For FasterXML jackson-databind versions 2.4.0-rc1 through 2.12.7.1, upgrade to version 2.12.7.1 or later. For FasterXML jackson-databind versions 2.13.x through 2.13.4.1, upgrade to version 2.13.4.2 or later. For Bamboo Data Center and Server versions 9.1.0 through 9.2.4, upgrade to version 9.2.5 or later. For Bamboo Data Center and Server versions 9.3.0 through 9.3.2, upgrade to version 9.3.3 or later. For Bitbucket Data Center and Server versions 7.17.0 through 7.21.13, upgrade to version 7.21.14 or later. For Bitbucket Data Center and Server versions 8.7.0 through 8.9.3, upgrade to version 8.9.4 or later. For Bitbucket Data Center and Server versions 8.10.0 through 8.10.3, upgrade to version 8.10.4 or later. For Bitbucket Data Center and Server versions 8.11.0 through 8.11.2, upgrade to version 8.11.3 or later. For Bitbucket Data Center and Server versions 8.12.0 through 8.12.0, upgrade to version 8.12.1 or later. For Bitbucket Data Center and Server versions 8.13.0 through 8.13.0, upgrade to version 8.13.1 or later.

**Name of the Vulnerable Software and Affected Versions** com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 0 through 2.11.4 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 2.12.0-rc1 through 2.12.1 **Description** The issue is related to the allocation of unlimited memory in the com.fasterxml.jackson.dataformat:jackson-dataformat-cbor package of the jackson-dataformats-binary library. This can be exploited by a remote attacker to cause a denial of service. The unchecked allocation of a byte buffer can cause a java.lang.OutOfMemoryError exception. **Recommendations** For com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 0 through 2.11.4, update to version 2.11.4 or later. For com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versions 2.12.0-rc1 through 2.12.1, update to version 2.12.1 or later. As a temporary workaround, consider restricting the allocation of byte buffers to prevent the java.lang.OutOfMemoryError exception.

**Name of the Vulnerable Software and Affected Versions** jackson-dataformat-xml versions 2.7.0 through 2.7.7 jackson-dataformat-xml versions 2.8.0 through 2.8.3 **Description** The issue allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. This can be exploited in the XmlMapper component of the Jackson XML dataformat. **Recommendations** For jackson-dataformat-xml versions 2.7.0 through 2.7.7, update to version 2.7.8 or later. For jackson-dataformat-xml versions 2.8.0 through 2.8.3, update to version 2.8.4 or later.