CVE-2024-47072

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.21 Bitbucket Data Center and Server versions 8.6.0 through 8.19.0 Bitbucket Data Center and Server versions 9.0.0 through 9.4.0 Bitbucket Data Center and Server version 8.9.0 through 8.9.23 Bitbucket Data Center and Server version 8.19.0 through 8.19.13 Bitbucket Data Center and Server version 9.4.0 through 9.4.1

Description The issue is related to a stack overflow error in the BinaryStreamDriver component of the XStream library, which can be exploited by a remote attacker to terminate the application, resulting in a denial of service. This can be achieved by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. The vulnerability may allow an attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability.

Recommendations For XStream versions prior to 1.4.21, upgrade to version 1.4.21 or later. For Bitbucket Data Center and Server version 8.9.0 through 8.9.23, upgrade to a release greater than or equal to 8.9.24. For Bitbucket Data Center and Server version 8.19.0 through 8.19.13, upgrade to a release greater than or equal to 8.19.14. For Bitbucket Data Center and Server version 9.4.0 through 9.4.1, upgrade to a release greater than or equal to 9.4.2. For Bitbucket Data Center and Server version 9.5, upgrade to a release greater than or equal to 9.5.0. As a temporary workaround, users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.