CVE-2024-47561

Name of the Vulnerable Software and Affected Versions: Apache Avro versions 1.11.3 and previous versions Apache Avro versions prior to 1.11.4 Bamboo Data Center and Server versions 9.2.1, 9.6.0, and 10.0.0-rc3 Bitbucket Data Center and Server versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, and 9.2.0 Confluence Data Center and Server version 6.5

Description: The vulnerability in the Apache Avro Java SDK is related to schema parsing, which allows bad actors to execute arbitrary code. This issue affects versions prior to 1.11.4 and can be exploited by unauthenticated attackers, potentially exposing assets in the environment to exploitation. The vulnerability has a low impact on confidentiality, integrity, and availability, and requires no user interaction. It is recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

Recommendations: For Apache Avro versions 1.11.3 and previous versions, upgrade to version 1.11.4 or 1.12.0. For Bamboo Data Center and Server versions 9.2.1, 9.6.0, and 10.0.0-rc3, upgrade to a release greater than or equal to 9.2.20, 9.6.8, or 10.0.3, respectively. For Bitbucket Data Center and Server versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, and 9.2.0, upgrade to a release greater than or equal to 8.9.21 or 8.19.11, respectively. For Confluence Data Center and Server version 6.5, upgrade to a release greater than or equal to 7.19.30, 8.5.18, or 9.1.1, respectively. As a temporary workaround, consider disabling schema parsing in the Java SDK until a patch is available.