Details
-
Bug
-
Resolution: Fixed
-
Highest
-
7.6.0, 7.17.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 7.21.0, 8.4.0, 8.5.0
-
24
-
Severity 2 - Major
-
1,214
-
Description
DISCLAIMER
This issues only covers commons-text usages in the Bitbucket WebApp, not the bundled OpenSearch. To track the upgrade of OpenSearch to a version that contains an updated commons-text dependency please refer to BSERV-13588.
No exploit through Bitbucket has been discovered, nor has a codepath where the vulnerable class is used been identified. However common-text should be updated as a precaution and to avoid Bitbucket being flagged by vulnerability scanners which will identify the vulnerable commons-text library.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Bitbucket DC does not use the vulnerable module org.apache.commons.text.StringSubstitutor
Apache commons-text is used by:
- com.atlassian.plugins:atlassian-nav-links-plugin
-
- only org.apache.commons.text.StringEscapeUtils
Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889
Attachments
Issue Links
- relates to
-
JRASERVER-74501 Upgrade Apache Commons-text for CVE-2022-42889
- Needs Triage
- causes
-
PS-112775 Loading...