PT-2024-3099 · Atlassian+1 · Confluence Data Center/Server+5

Quan Nguyen

·

Published

2024-02-10

·

Updated

2026-05-18

·

CVE-2023-52428

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Connect2id Nimbus JOSE+JWT versions prior to 9.37.2 Confluence Data Center and Server versions prior to 7.19.23 Confluence Data Center and Server versions prior to 8.5.11 Confluence Data Center and Server versions prior to 8.6.2 Confluence Data Center and Server versions prior to 8.7.2 Confluence Data Center and Server versions prior to 8.9.3 Bamboo Data Center and Server versions prior to 9.2.15 Bamboo Data Center and Server versions prior to 9.4.3 Bamboo Data Center and Server versions prior to 9.5.3 Bamboo Data Center and Server versions prior to 9.6.3
Description The issue is related to the PasswordBasedDecrypter (PBKDF2) component in Connect2id Nimbus JOSE+JWT. An attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count). This allows an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction.
Recommendations For Connect2id Nimbus JOSE+JWT versions prior to 9.37.2, upgrade to version 9.37.2 or later. For Confluence Data Center and Server versions prior to 7.19.23, upgrade to version 7.19.23 or later. For Confluence Data Center and Server versions prior to 8.5.11, upgrade to version 8.5.11 or later. For Confluence Data Center and Server versions prior to 8.6.2, upgrade to version 8.6.2 or later. For Confluence Data Center and Server versions prior to 8.7.2, upgrade to version 8.7.2 or later. For Confluence Data Center and Server versions prior to 8.9.3, upgrade to version 8.9.3 or later. For Bamboo Data Center and Server versions prior to 9.2.15, upgrade to version 9.2.15 or later. For Bamboo Data Center and Server versions prior to 9.4.3, upgrade to version 9.4.3 or later. For Bamboo Data Center and Server versions prior to 9.5.3, upgrade to version 9.5.3 or later. For Bamboo Data Center and Server versions prior to 9.6.3, upgrade to version 9.6.3 or later.

Fix

DoS

Improper Resource Release

Resource Exhaustion

Allocation of Resources Without Limits

Weakness Enumeration

CWE-404CWE-400CWE-770

Related Identifiers

BDU:2024-03299
CLEANSTART-2026-DD05788
CLEANSTART-2026-VH41554
CVE-2023-52428
GHSA-GVPG-VGMX-XG6W
RHSA-2024:8823
RHSA-2024:8824

Affected Products

Bamboo
Bamboo Data Center/Server
Bitbucket
Confluence
Confluence Data Center/Server
Connect2Id Nimbus Jose+Jwt