CVE-2023-6378

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions logback version 1.4.11 Confluence Data Center and Server versions from 6.0.1 to 8.7.1 Confluence Data Center and Server versions from 8.7.0 to 8.7.1 Confluence Data Center versions from 8.6.0 to 8.6.2 Confluence Data Center versions from 8.5.0 to 8.5.4 LTS Confluence Data Center versions from 8.4.0 to 8.4.5 Confluence Data Center versions from 8.3.0 to 8.3.4 Confluence Data Center versions from 8.2.0 to 8.2.3 Confluence Data Center versions from 8.1.0 to 8.1.4 Confluence Data Center versions from 8.0.0 to 8.0.4 Confluence Data Center versions from 7.20.0 to 7.20.3 Confluence Data Center versions from 7.19.0 to 7.19.17 LTS Confluence Data Center versions from 7.18.0 to 7.18.3 Confluence Data Center versions from 7.17.0 to 7.17.5 Confluence Server versions from 8.5.0 to 8.5.4 LTS Confluence Server versions from 8.4.0 to 8.4.5 Confluence Server versions from 8.3.0 to 8.3.4 Confluence Server versions from 8.2.0 to 8.2.3 Confluence Server versions from 8.1.0 to 8.1.4 Confluence Server versions from 8.0.0 to 8.0.4 Confluence Server versions from 7.20.0 to 7.20.3 Confluence Server versions from 7.19.0 to 7.19.17 LTS Confluence Server versions from 7.18.0 to 7.18.3 Confluence Server versions from 7.17.0 to 7.17.5 Bitbucket Data Center and Server versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0

Description A serialization vulnerability in the logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This issue is only exploitable if the logback receiver component is deployed.

Recommendations For logback version 1.4.11, consider disabling the logback receiver component until a patch is available. For Confluence Data Center and Server versions from 6.0.1 to 8.7.1, upgrade to the latest version or one of the specified supported fixed versions. For Confluence Data Center versions from 8.6.0 to 8.6.2, upgrade to version 8.8.0 or later. For Confluence Data Center versions from 8.5.0 to 8.5.4 LTS, upgrade to version 8.8.0, 8.5.5 LTS, or 8.5.6 LTS. For Confluence Data Center versions from 8.4.0 to 8.4.5, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.3.0 to 8.3.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.2.0 to 8.2.3, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.1.0 to 8.1.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 8.0.0 to 8.0.4, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 7.20.0 to 7.20.3, upgrade to version 8.8.0 or 8.5.6 LTS. For Confluence Data Center versions from 7.19.0 to 7.19.17 LTS, upgrade to version 8.8.0, 8.5.6 LTS, 7.19.18 LTS, or 7.19.19 LTS. For Confluence Data Center versions from 7.18.0 to 7.18.3, upgrade to version 8.8.0, 8.5.6 LTS, or 7.19.19 LTS. For Confluence Data Center versions from 7.17.0 to 7.17.5, upgrade to version 8.8.0, 8.5.6 LTS, or 7.19.19 LTS. For Confluence Server versions from 8.5.0 to 8.5.4 LTS, upgrade to version 8.5.5 LTS or 8.5.6 LTS. For Confluence Server versions from 8.4.0 to 8.4.5, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.3.0 to 8.3.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.2.0 to 8.2.3, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.1.0 to 8.1.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 8.0.0 to 8.0.4, upgrade to version 8.5.6 LTS. For Confluence Server versions from 7.20.0 to 7.20.3, upgrade to version 8.5.6 LTS. For Confluence Server versions from 7.19.0 to 7.19.17 LTS, upgrade to version 8.5.6 LTS, 7.19.18 LTS, or 7.19.19 LTS. For Confluence Server versions from 7.18.0 to 7.18.3, upgrade to version 8.5.6 LTS or 7.19.19 LTS. For Confluence Server versions from 7.17.0 to 7.17.5, upgrade to version 8.5.6 LTS or 7.19.19 LTS. For Bitbucket Data Center and Server versions 7.21.0, upgrade to a release greater than or equal to 7.21.19. For Bitbucket Data Center and Server versions 8.9.0, upgrade to a release greater than or equal to 8.9.9. For Bitbucket Data Center and Server versions 8.13.0, upgrade to a release greater than or equal to 8.13.5. For Bitbucket Data Center and Server versions 8.14.0, upgrade to a release greater than or equal to 8.14.4. For Bitbucket Data Center versions 8.15.0, upgrade to a release greater than or equal to 8.15.3. For Bitbucket Data Center versions 8.16.0, upgrade to a release greater than or equal to 8.16.2.

Fix

DoS

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2023-09017

CLEANSTART-2026-CI66802

CVE-2023-6378

GHSA-VMQ6-5M68-F53M

OESA-2023-1946

OPENSUSE-SU-2025:15597-1

USN-7616-1

Affected Products

Astra Linux

Bitbucket

Bitbucket Server

Confluence

Debian

Linuxmint

Red Os

Ubuntu

CVE-2023-6378

Weakness Enumeration

Related Identifiers

Affected Products

References · 104