-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Low
-
Affects Version/s: 8.2.6, 8.1.10, 8.0.11, 9.0.1
-
Component/s: Bamboo Release, Infrastructure, Security
-
32
-
Severity 3 - Minor
-
23
DISCLAIMER
Bamboo IS NOT VULNERABLE to CVE-2022-42889.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Bamboo does not use the vulnerable module org.apache.commons.text.StringSubstitutor
Apache commons-text is used by:
- com.atlassian.bamboo:atlassian-bamboo-api
-
- only org.apache.commons.text.StringEscapeUtils
- com.atlassian.bamboo:atlassian-bamboo-utils
-
- only org.apache.commons.text.StringEscapeUtils
- com.atlassian.plugins:atlassian-nav-links-plugin
-
- only org.apache.commons.text.StringEscapeUtils
Issue summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889
Environment
Bamboo 8, 9
Steps to Reproduce
- Check org.apache.commons -> commons-text version on pom.xml - How to find the version of bundled software in Bamboo
Expected Results
apache-common-text 1.10.0+ is expected
Actual Results
apache-common-text 1.9 (or earlier) is used