CVE-2024-57699

Name of the Vulnerable Software and Affected Versions: Netplex Json-smart versions 2.5.0 through 2.5.1 Confluence Data Center and Server versions prior to 8.5.22 Confluence Data Center and Server versions prior to 9.2.4 Confluence Data Center and Server versions prior to 9.4.1 Bamboo Data Center and Server versions prior to 9.6.11 Bamboo Data Center and Server versions prior to 10.2.3 Bitbucket Data Center and Server versions prior to 8.9.27 Bitbucket Data Center and Server versions prior to 8.19.18 Bitbucket Data Center and Server versions prior to 9.4.5 Bitbucket Data Center and Server versions prior to 9.5.2 Bitbucket Data Center and Server versions prior to 9.6.2

Description: A security issue was found in Netplex Json-smart when loading a specially crafted JSON input, containing a large number of '{', which could trigger a stack exhaustion and allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for a previous vulnerability. The vulnerability allows an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

Recommendations: For Netplex Json-smart versions 2.5.0 through 2.5.1, consider disabling the JSONParser or setting the LIMIT JSON DEPTH option to prevent exploitation until a patch is available. For Confluence Data Center and Server, upgrade to a release greater than or equal to 8.5.22, 9.2.4, or 9.4.1. For Bamboo Data Center and Server, upgrade to a release greater than or equal to 9.6.11 or 10.2.3. For Bitbucket Data Center and Server, upgrade to a release greater than or equal to 8.9.27, 8.19.18, 9.4.5, 9.5.2, or 9.6.2. As a temporary workaround, consider restricting access to the JSONParser or setting custom options to mitigate the risk of exploitation.