Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.2.6, 8.1.10, 8.0.11, 9.0.1, 9.1.0
Affects Version/s: 8.0.4
Component/s: Tomcat tasks
Labels:
None

Support reference count:
3
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

Apache Tomcat should be upgraded to 8.5.82 or a superior version to fix CVE-2022-34305

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

Steps to Reproduce

Check tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

Expected Results

apache-tomcat 8.5.82+ is expected

Actual Results

apache-tomcat 8.5.75 (or older) is used

Workaround

Bamboo distribution doesn't contain example application from Tomcat distro.

At your own risk, you can manually upgrade Tomcat as instructed on this KB:

How to upgrade Apache Tomcat version used by Bamboo

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

Attachments

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Alexey Chystoprudov

Reporter:: Shashank Kumar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/Jul/2022 7:51 AM

Updated:: 05/Oct/2022 7:05 AM

Resolved:: 02/Sep/2022 9:06 AM