Oss Fuzz

**Name of the Vulnerable Software and Affected Versions** Qt versions 6.3.0 through 6.5.9 Qt versions 6.6.0 through 6.8.4 Qt version 6.9.0 **Description** The issue occurs when a specifically crafted ICNS format image file is loaded in QImage, triggering a crash. **Recommendations** For Qt versions 6.3.0 through 6.5.9, update to version 6.5.10. For Qt versions 6.6.0 through 6.8.4, update to version 6.8.5. For Qt version 6.9.0, update to version 6.9.1.

**Name of the Vulnerable Software and Affected Versions** Golang DecodeConfig (affected versions not specified) **Description** The issue is related to an uncontrolled resource consumption in the DecodeConfig component of the Golang programming language. An attacker can craft a malformed TIFF image, which, when passed to DecodeConfig, will consume a significant amount of memory. This could lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Commons Compress versions 1.19 through 1.21 Confluence Data Center versions from 7.19.23 to 8.9.3 Confluence Data Center versions from 8.5.10 to 8.5.11 Confluence Server versions from 7.19.23 to 7.19.24 Confluence Server versions from 8.5.10 to 8.5.11 **Description** The issue is related to errors in handling input data length parameters, which can lead to a denial of service attack. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory, resulting in an out of memory error even for small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. **Recommendations** For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Data Center versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.9.4 or 8.5.12 LTS. For Confluence Data Center versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.9.4 or 8.5.12 LTS or 7.19.25 LTS. For Confluence Server versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.5.12 LTS. For Confluence Server versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.5.12 LTS or 7.19.25 LTS. As a temporary workaround, consider restricting the use of the zip package in Compress to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Confluence Data Center versions 7.19.23 through 8.9.3 Confluence Server versions 7.19.23 through 8.5.11 Apache Commons Compress (affected versions not specified) **Description** The issue is related to the allocation of unlimited memory when reading a specially crafted TAR archive, which can lead to an out of memory error. This could be used to mount a denial of service attack against services that use Compress' tar package. **Recommendations** For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Data Center versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.9.4 or 8.5.12 LTS. For Confluence Data Center versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.9.4 or 8.5.12 LTS or 7.19.25 LTS. For Confluence Server versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.5.12 LTS. For Confluence Server versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.5.12 LTS or 7.19.25 LTS. As a temporary workaround, consider restricting the use of the Compress tar package until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Commons Compress versions prior to the fixed version Confluence Data Center versions from 7.19.23 through 8.9.3 Confluence Data Center versions from 8.5.10 through 8.5.11 Confluence Server versions from 7.19.23 through 7.19.24 Confluence Server versions from 8.5.10 through 8.5.11 **Description** The issue is related to the construction of the list of codecs that decompress an entry in a specially crafted 7Z archive, which can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. An unauthenticated attacker can expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction. **Recommendations** For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Data Center versions from 8.5.10 to 8.5.11, upgrade to version 8.9.4 or 8.5.12. For Confluence Data Center versions from 7.19.23 to 7.19.24, upgrade to version 8.9.4, 8.5.12, or 7.19.25. For Confluence Server versions from 8.5.10 to 8.5.11, upgrade to version 8.5.12. For Confluence Server versions from 7.19.23 to 7.19.24, upgrade to version 8.5.12 or 7.19.25. As a temporary workaround, consider restricting access to the sevenz package until a patch is available.