Upgrade Tomcat to mitigate CVE-2022-34305

XMLWordPrintable

    • 3
    • Severity 3 - Minor

      Issue Summary

      Apache Tomcat should be upgraded to 8.5.82 or a superior version to fix CVE-2022-34305

      In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

      Steps to Reproduce

      Check tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

      Expected Results

      apache-tomcat 8.5.82+ is expected

      Actual Results

      apache-tomcat 8.5.75 (or older) is used

      Workaround

      Bamboo distribution doesn't contain example application from Tomcat distro.

      At your own risk, you can manually upgrade Tomcat as instructed on this KB:

      WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

            Assignee:
            Alexey Chystoprudov
            Reporter:
            Shashank Kumar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: