Upgrade spring framework to mitigate CVE-2023-20860, CVE-2023-20861, and CVE-2023-20863

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 9.2.3, 9.3.1
    • Affects Version/s: 9.2.1, 9.1.2, 8.2.8, 8.0.13, 8.1.12
    • Component/s: Security
    • None
    • 2
    • Severity 2 - Major

      Issue Summary

      This is reproducible on Data Center:

      Steps to Reproduce

      Check spring framework file version on <bamboo-install>/atlassian-bamboo/WEB-INF/lib

      Bamboo does not use spring-webmvc (mvcRequestMatched) or process SpEL messages, but it may still be reported by scanners so it is necessary to update it.

      Expected Results

      Spring framework should be:

      • 6.0.7+
      • 5.3.27+

      Actual Results

      Bamboo uses a version <= 5.2.26 of the spring framework

      Workaround

      -

            Assignee:
            Alexey Chystoprudov
            Reporter:
            Eduardo Alvarenga (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: