CVE-2020-36518

Name of the Vulnerable Software and Affected Versions jackson-databind versions prior to 2.13.0 Bitbucket Data Center and Server versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0 Bitbucket Data Center and Server versions prior to 7.21.14, 8.9.4, 8.10.4, 8.11.3, 8.11.4, 8.12.1, 8.12.2, 8.13.1 Bamboo Data Center and Server versions 9.1.0, 9.2.1, 9.3.0 Bamboo Data Center and Server versions prior to 9.2.5, 9.3.3

Description The issue is related to a Java StackOverflow exception and denial of service via a large depth of nested objects in the jackson-databind library. This can be exploited by an unauthenticated attacker to cause a denial of service. The vulnerability affects various Atlassian products, including Bitbucket Data Center and Server, and Bamboo Data Center and Server.

Recommendations For jackson-databind versions prior to 2.13.0, upgrade to version 2.13.0 or later. For Bitbucket Data Center and Server versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, upgrade to a release greater than or equal to 7.21.14, 8.9.4, 8.10.4, 8.11.3, 8.11.4, 8.12.1, 8.12.2, 8.13.1. For Bamboo Data Center and Server versions 9.1.0, 9.2.1, 9.3.0, upgrade to a release greater than or equal to 9.2.5, 9.3.3. As a temporary workaround, consider restricting the use of the jackson-databind library to minimize the risk of exploitation.