Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN882
_____________________________________________________________________

DATE                : 18/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Bitbucket Data Center,
                      Bitbucket Server versions prior to  9.4.0,
                      10.0.0, 8.19.25, 10.1.1 .

=====================================================================
https://jira.atlassian.com/browse/BSERV-20270
_____________________________________________________________________

DoS (Denial of Service) com.google.protobuf:protobuf-java Dependency
in Bitbucket Data Center and Server

    Published

Export

    Type:    Public Security Vulnerability
    Resolution:    Fixed
    Priority:    High
    Fix Version/s:    9.4.0, 10.0.0, 8.19.25, 10.1.1
    Affects Version/s:
    8.18.0, 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5,
     8.19.6, 8.19.7, 9.1.0, 9.0.1, 8.19.8, 8.19.9, 8.19.10
    Component/s:    None
    Labels:
        advisory advisory-to-release dont-import security 

    CVSS Score:    8.7
    CVSS Severity:    High
    CVE ID:    CVE-2024-7254
    Vulnerability Source:    Atlassian (Internal)
    CVSSv3 Vector:
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Vulnerability Classes:    DoS (Denial of Service)	
    Affected Product(s):
    Bitbucket Data Center, Bitbucket Server	

This High severity DoS (Denial of Service) Dependency vulnerability,
known as CVE-2024-7254, was introduced in version 8.9.0 of
Bitbucket Data Center and Server.

This vulnerability, with a CVSS Score of 8.7 and a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X,
allows an unauthenticated attacker to perform actions which has no
impact to confidentiality, no impact to integrity, high impact to
availability, and requires no user interaction.

Atlassian recommends that Bitbucket Data Center and Server
customers upgrade to latest version, if you are unable to do so,
upgrade your instance to one of the specified supported fixed
versions:

    Bitbucket Data Center and Server 8.18: Upgrade to a release
greater than or equal to 8.19.25
    Bitbucket Data Center and Server 8.19: Upgrade to a release
greater than or equal to 8.19.25

See the release notes
(https://confluence.atlassian.com/bitbucketserver/release-notes).
You can download the latest version of Bitbucket Data Center
from the download center
(https://www.atlassian.com/software/bitbucket/download-archives). 

The National Vulnerability Database provides the following
description for this vulnerability: Any project that parses
untrusted Protocol Buffers data containing an arbitrary number
of nested groups / series of SGROUP tags can corrupted by
exceeding the stack limit i.e. StackOverflow. Parsing nested
groups as unknown fields with DiscardUnknownFieldsParser or
Java Protobuf Lite parser, or against Protobuf map fields,
creates unbounded recursions that can be abused by an
attacker.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================