PT-2022-7161 · Atlassian+1 · Bamboo Server+2
Published
2022-09-16
·
Updated
2024-11-15
·
CVE-2022-40152
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Woodstox versions 9.1.0 through 9.3.0
Bamboo Data Center and Server versions 9.1.0 through 9.2.1
Bamboo Data Center and Server versions 9.3.0
Description
The issue is related to a Denial of Service (DOS) attack that can occur when parsing XML data with DTD support enabled. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash by stack overflow, potentially supporting a denial of service attack.
Recommendations
For Woodstox versions 9.1.0 through 9.3.0, upgrade to a version where DTD support is disabled or properly secured.
For Bamboo Data Center and Server version 9.2, upgrade to a release greater than or equal to 9.2.5.
For Bamboo Data Center and Server version 9.3, upgrade to a release greater than or equal to 9.3.3.
For Bamboo Data Center and Server version 9.4, upgrade to a release greater than or equal to 9.4.0.
As a temporary workaround, consider disabling DTD parsing functionality until a patch is available.
Exploit
Fix
DoS
Stack Overflow
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bamboo
Bamboo Server
Debian