Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 7.19.5, 7.6.15, 7.17.7, 7.21.1
Affects Version/s: 7.19.1
Component/s: Security - Other
Labels:

Support reference count:
2
Symptom Severity:
Severity 2 - Major
UIS:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

As of Bitbucket 7.21 the LESS Transformer Plugin shipped is version 4.0.0. Unfortunately it has a dependency on commons-codec version 1.4 which has a number of security vulnerabilities.

eg.commons-codec:commons-codec / 1.4
Apache Commons Codec org.apache.commons.codec.language.Soundex.US_ENGLISH_MAPPING Missing MS_PKGPROTECT Field Manipulation

Version 4.0.2 of the plugin uses commons-codec 1.15.

This bug is to update the version of the LESS Transformer Plugin shipped with Bitbucket

Steps to Reproduce

jar -tvf /opt/atlassian/bitbucket/app/WEB-INF/atlassian-bundled-plugins/less-transformer-plugin-4.0.0.jar 2>/dev/null | grep commons-codec
58160 Tue Dec 11 00:24:14 UTC 2018 META-INF/lib/commons-codec-1.4.jar

Expected Results

Ship with commons-codec-1.15.jar

Actual Results

N/A

Workaround

None available at this time.

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...

Assignee:: Josh Aguilar

Reporter:: Chris Berry (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 24/Mar/2022 4:23 AM

Updated:: 16/Aug/2022 7:33 PM

Resolved:: 04/May/2022 3:25 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates