This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Confluence does not use the vulnerable module org.apache.commons.text.StringSubstitutor

Issue Summary

Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889

Steps to Reproduce

Check org.apache.commons -> commons-text version on pom.xml

Expected Results

apache-common-text 1.10.0+ is expected

Actual Results

apache-common-text 1.9 (or earlier) is used

Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available