QID 379521

Bitbucket Data Center looks like a single instance of Bitbucket Server to users, but under the hood, it consists of a cluster of multiple machines ("cluster nodes") each running the Bitbucket Server web application, behind a load balancer.

CVE-2024-21634: a potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library..

Affected Versions:
7.21.x prior to 7.21.22
8.0.x prior to 8.0.5
8.1.x prior to 8.1.5
8.2.x prior to 8.2.4
8.3.x prior to 8.3.4
8.4.x prior to 8.4.4
8.5.x prior to 8.5.4
8.6.x prior to 8.6.4
8.7.x prior to 8.7.5
8.8.x prior to 8.8.7
8.9.x prior to 8.9.10
8.10.x prior to 8.10.6
8.11.x prior to 8.11.6
8.12.x prior to 8.12.6
8.13.x prior to 8.13.6
8.14.x prior to 8.14.5
8.15.x prior to 8.15.4
8.16.x prior to 8.16.3
8.17.x prior to 8.17.2
8.18.x prior to 8.18.1

Detection Logic:(Unauthenticated)
The QID checks for vulnerable versions of Atlassian Bitbucket Server by sending a GET request to /login endpoint.

Detection Logic:(Authenticated)
The QID checks for vulnerable versions of Atlassian Bitbucket Server by checking the registry entry for windows and invoking commands in linux.

Successful exploitation of this vulnerability allows denial or disruption of service.