Gary Gregory

**Name of the Vulnerable Software and Affected Versions** Apache Commons Configuration versions 2.0 through 2.10.0 Confluence Data Center and Server versions prior to 8.9.1 Confluence Data Center versions 8.8.0 through 8.8.1 Confluence Data Center versions 8.7.0 through 8.7.2 Confluence Data Center versions 8.6.0 through 8.6.2 Confluence Data Center versions 8.5.0 through 8.5.8 Confluence Data Center versions 8.4.0 through 8.4.5 Confluence Data Center versions 8.3.0 through 8.3.4 Confluence Data Center versions 8.2.0 through 8.2.3 Confluence Data Center versions 8.1.0 through 8.1.4 Confluence Data Center versions 8.0.0 through 8.0.4 Confluence Data Center versions 7.20.0 through 7.20.3 Confluence Data Center versions 7.19.0 through 7.19.22 Confluence Data Center versions 7.18.0 through 7.18.3 Confluence Data Center versions 7.17.0 through 7.17.5 Confluence Server versions 8.5.0 through 8.5.8 Confluence Server versions 8.4.0 through 8.4.5 Confluence Server versions 8.3.0 through 8.3.4 Confluence Server versions 8.2.0 through 8.2.3 Confluence Server versions 8.1.0 through 8.1.4 Confluence Server versions 8.0.0 through 8.0.4 Confluence Server versions 7.20.0 through 7.20.3 Confluence Server versions 7.19.0 through 7.19.22 Confluence Server versions 7.18.0 through 7.18.3 Confluence Server versions 7.17.0 through 7.17.5 **Description** The issue is an Out-of-bounds Write vulnerability in Apache Commons Configuration. This vulnerability can be exploited by submitting a crafted configuration file or input, leading to a denial of service condition. The `ListDelimiterHandler.flatten(Object, int)` function is specifically affected, and exploitation may allow an attacker to execute arbitrary code. Users may see this issue as a 'StackOverflowError' when calling `ListDelimiterHandler.flatten(Object, int)` with a cyclical object tree. **Recommendations** Upgrade Apache Commons Configuration to version 2.10.1. Upgrade Confluence Data Center to version 8.9.1 or the latest version. Upgrade Confluence Server to version 8.5.9 or the latest version. For Confluence Data Center and Server versions that cannot be upgraded to the latest version, upgrade to one of the specified supported fixed versions. As a temporary workaround, consider disabling the `ListDelimiterHandler.flatten(Object, int)` function until a patch is available. Restrict access to the vulnerable `ListDelimiterHandler` module to minimize the risk of exploitation. Avoid using the `ListDelimiterHandler` module in the affected API endpoints until the issue is resolved.