Details
Description
Issue Summary
Apache Tomcat should be upgraded to 8.5.82 or a superior version to fix CVE-2022-34305
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
Steps to Reproduce
Check tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat
Expected Results
apache-tomcat 8.5.82+ is expected
Actual Results
apache-tomcat 8.5.75 (or older) is used
Workaround
Bamboo distribution doesn't contain example application from Tomcat distro.
At your own risk, you can manually upgrade Tomcat as instructed on this KB:
WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.
Attachments
Issue Links
- mentioned in
-
Page Loading...