Update commons-configuration in Bamboo Data Center to satisfy scanners for CVE-2025-46392

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Dependencies, Security
    • None
    • 1
    • 1

      Summary

      This suggestion is a request to upgrade the classpath below just to satisfy security scanners. Some security scanners might report it as vulnerable to CVE-2025-46392, but Bamboo is not vulnerable.

      Commons Configuration
      File: <remote-agent-home>/classpath/commons-configuration-1.4-atlassian-1.jar
      File: atlassian-bamboo-9.4.0/atlassian-bamboo/WEB-INF/lib/commons-configuration-1.4-atlassian-1.jar

      Solution

      Although Bamboo is not vulnerable to CVE-2025-46392 because it does not load untrusted configurations nor uses unexpected usage patterns (a requirement for the CVE), the request is to upgrade Commons Configuration to version 2.x just to satisfy security scanners.

            Assignee:
            Unassigned
            Reporter:
            Eduardo Collaziol
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: