CVE-2023-39410

Name of the Vulnerable Software and Affected Versions Apache Avro Java SDK versions up to and including 1.11.2 Confluence Data Center versions from 7.17.0 to 8.7.1 Confluence Data Center versions from 8.7.0 to 8.7.1 Confluence Server versions from 7.17.0 to 8.5.4 LTS Bamboo Data Center and Server versions 9.2.1, 9.3.0, and 9.4.0

Description When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK. An unauthenticated attacker can expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

Recommendations For Apache Avro Java SDK versions up to and including 1.11.2, update to apache-avro version 1.11.3. For Confluence Data Center versions from 7.17.0 to 8.7.1, upgrade to the latest version, or to one of the specified supported fixed versions: 8.8.0, 8.7.2, 8.6.2, 8.5.4 LTS, 8.5.5 LTS, 8.5.6 LTS, 7.19.17 LTS, 7.19.18 LTS, 7.19.19 LTS. For Confluence Server versions from 7.17.0 to 8.5.4 LTS, upgrade to the latest 8.5.x LTS version, or to one of the specified supported fixed versions: 8.5.5 LTS, 8.5.6 LTS, 7.19.17 LTS, 7.19.18 LTS, 7.19.19 LTS. For Bamboo Data Center and Server versions 9.2.1, 9.3.0, and 9.4.0, upgrade to the latest version, or to one of the specified supported fixed versions: 9.2.8, 9.3.6, 9.4.2.