Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 7.13.11, 7.19.2, 7.20.0
Affects Version/s: 7.13.8, 7.18.2
Component/s: Security
Labels:

Support reference count:
18
Symptom Severity:
Severity 3 - Minor
UIS:
21
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

his is reproducible on Data Center: yes

The current version of Tomcat 9.0.63 is bundled with Confluence 7.18.2 and Confluence 7.13.8 are vulnerable to CVE-2022-34305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34305

Steps to Reproduce

-

Expected Results

-

Actual Results

-

Workaround

Manually updating Tomcat would be a valid workaround, however, checking the Tomcat download link we can see that the latest available version is

For Tomcat 9, 9.0.64 http://archive.apache.org/dist/tomcat/tomcat-9/
So, not even Tomcat has released a version that has the fix for this CVE, looks like this vulnerability is currently undergoing analysis.

Opening a ticket to keep track of it on our side.

[Update from Jul 21, 2022]
Tomcat released the 9.0.65 version which contains the fix for this vulnerability (CVE-2022-34305):

Tomcat 9 - changelog

Attachments

Issue Links

links to

Original (master branch) ticket on AsecJ > VULN

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(17 mentioned in)

Activity

People

Assignee:: Lokesh Nerella

Reporter:: Derek Howell

Votes:: 6 Vote for this issue

Watchers:: 23 Start watching this issue

Dates

Due:: 16/Oct/2022

Created:: 07/Jul/2022 7:05 PM

Updated:: 07/Feb/2023 4:25 PM

Resolved:: 29/Sep/2022 6:57 AM