Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21993

Upgrade Apache Commons-text to mitigate CVE-2022-42889

XMLWordPrintable

      DISCLAIMER

      Bamboo IS NOT VULNERABLE to CVE-2022-42889.

      This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

      Bamboo does not use the vulnerable module org.apache.commons.text.StringSubstitutor

      Apache commons-text is used by:

      • com.atlassian.bamboo:atlassian-bamboo-api
        • only org.apache.commons.text.StringEscapeUtils
      • com.atlassian.bamboo:atlassian-bamboo-utils
        • only org.apache.commons.text.StringEscapeUtils
      • com.atlassian.plugins:atlassian-nav-links-plugin
        • only org.apache.commons.text.StringEscapeUtils

      Issue summary

      Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889

      Environment

      Bamboo 8, 9

      Steps to Reproduce

      1. Check org.apache.commons -> commons-text version on pom.xml - How to find the version of bundled software in Bamboo

      Expected Results

      apache-common-text 1.10.0+ is expected

      Actual Results

      apache-common-text 1.9 (or earlier) is used

              mgardias Marcin Gardias
              73868399605e Eduardo Alvarenga (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              20 Start watching this issue

                Created:
                Updated:
                Resolved: