We would like to note that we have updated the Bouncy Castle crypto library in S/Notify 4.1, and that this version of the library fixes flaws that may lead to high CPU usage or even a DoS (Denial of Service) under certain circumstances. The following CVEs have been addressed and may be relevant for its use within S/Notify:
Note that especially CVE-2024-30172 could be used for DoS (Denial of Service) attack. This is particularly true if you allow user uploads or, in Jira, the extraction and use of certificates or keys from incoming email.
Therefore, we recommend all customers to plan a short-term update to S/Notify for Jira 4.1, S/Notify for Confluence 4.1 and/or S/Notify for Bitbucket 2.1 if they haven't already.