Upgrade Tomcat to fix CVE-2023-41080

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 9.4.0, 9.2.5, 9.3.3
    • Affects Version/s: 9.1.3, 9.0.4, 9.2.4, 9.3.2
    • Component/s: Security
    • None
    • 1
    • Severity 2 - Major
    • 1

      Problem

      Apache Tomcat should be upgraded to 9.0.80 or a later version to fix CVE-2023-41080

      Bamboo is not vulnerable to this issue as it does not use FORM authentication.

      This is an informational ticket to inform customers about the underlying CVE.

      Environment

      • Bamboo 9

      Steps to Reproduce

      • Check the Apache Tomcat version on pom.xml or <bamboo-install>/bin/version.sh/bat

      Expected Results

      • Bamboo 9.x: apache-tomcat 9.0.80 or later

      Actual Results

      • Bamboo 9.x: apache-tomcat 9.0.79 or lower

      Workaround

      At your own risk, you can manually upgrade Tomcat as instructed on this KB:

      WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Bamboo running over unofficial Tomcat versions.

      Notes

            Assignee:
            Alexey Chystoprudov
            Reporter:
            Nhat Vu (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: