CVE-2023-3635

Name of the Vulnerable Software and Affected Versions Okio versions prior to the fixed versions Bitbucket Data Center and Server versions 7.17.0 through 8.14.0 Confluence Data Center and Server versions 7.13.0 through 8.7.0

Description The issue is related to the GzipSource class in the Okio library, which does not handle exceptions that may be raised when parsing a malformed gzip buffer. This can lead to a denial of service of the Okio client when handling a crafted GZIP archive. An unauthenticated attacker can exploit this issue, which has no impact on confidentiality and integrity but has a high impact on availability and requires no user interaction.

Recommendations For Bitbucket Data Center and Server 7.21, upgrade to a release greater than or equal to 7.21.18 For Bitbucket Data Center and Server 8.9, upgrade to a release greater than or equal to 8.9.7 For Bitbucket Data Center and Server 8.11, upgrade to a release greater than or equal to 8.11.6 For Bitbucket Data Center and Server 8.12, upgrade to a release greater than or equal to 8.12.4 For Bitbucket Data Center and Server 8.13, upgrade to a release greater than or equal to 8.13.3 For Bitbucket Data Center and Server 8.14, upgrade to a release greater than or equal to 8.14.2 For Confluence Data Center and Server 7.19, upgrade to a release 7.19.17 or any higher 7.19.x release For Confluence Data Center and Server 8.5, upgrade to a release 8.5.4 or any higher 8.5.x release For Confluence Data Center 8.6, upgrade to a release 8.6.2 or any higher 8.6.x release For Confluence Data Center 8.7, upgrade to a release 8.7.1 or any higher release As a temporary workaround, consider disabling the GzipSource class until a patch is available.