CVE-2023-5072

Name of the Vulnerable Software and Affected Versions JSON-Java versions up to and including 20230618 Bitbucket Data Center and Server versions 7.17.0, 7.21.15, 8.9.4, 8.13.0, 8.14.0, and 8.15.0 Confluence Data Center and Server version 3.0 Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0

Description A denial of service vulnerability in JSON-Java was discovered. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. The issue is caused by the parser bug that can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object. If a key does end up being a JSON object, then it gets converted into a string, using to escape special characters, including itself. This can lead to an exponential number of `` characters in the escaped string, causing a denial of service.

Recommendations For JSON-Java versions up to and including 20230618, upgrade to a version later than 20230618. For Bitbucket Data Center and Server versions 7.17.0, 7.21.15, 8.9.4, 8.13.0, 8.14.0, and 8.15.0, upgrade to the latest version or one of the specified supported fixed versions. For Confluence Data Center and Server version 3.0, upgrade to the latest version or one of the specified supported fixed versions. For Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0, upgrade to the latest version or one of the specified supported fixed versions. As a temporary workaround, consider disabling the use of JSON-Java until a patch is available.