Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-59863

Upgrade Tomcat to the fixed version of CVE-2020-9484

XMLWordPrintable

    • 6
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      A recent Tomcat vulnerability (CVE-2020-9484) in which an attacker can access the content and names of files on a server when custom PersistenceManager filestores are used was announced that affects the following versions:
      10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103

      Confluence, as shipped, does not use PersistenceManager and is not vulnerable, but can be made so with customizations.

      Affected versions of Tomcat include:

      • 7.0.0 to 7.0.103
      • 8.5.0 to 8.5.54
      • 9.0.0.M1 to 9.0.34
      • 10.0.0-M1 to 10.0.0-M4

      Suggested Solution

      Include an unaffected version of Tomcat (9.0.35 and above for Tomcat) in Confluence,

            xxu@atlassian.com Xinyi Xu (Inactive)
            nmukai Nobuyuki Mukai
            Votes:
            11 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:
              Resolved: