CVE-2024-21634

Name of the Vulnerable Software and Affected Versions ion-java versions prior to 1.10.5 Bitbucket Data Center and Server versions 7.21.0 through 8.18.0 Confluence Data Center and Server versions 5.6 through 8.8.1 Jira Software versions (affected versions not specified) Jira Work Management versions (affected versions not specified)

Description A potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library.

Recommendations For ion-java versions prior to 1.10.5, upgrade to version 1.10.5 or later. For Bitbucket Data Center and Server versions 7.21.0 through 8.18.0, upgrade to the specified supported fixed versions. For Confluence Data Center and Server versions 5.6 through 8.8.1, upgrade to the specified supported fixed versions. For Jira Software and Jira Work Management, At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, do not load data which originated from an untrusted source or that could have been tampered with.