Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.4.5, 5.1.2, 5.0.5, 4.3.11
Affects Version/s: 4.3.5, 5.0.0
Component/s: Authentication / Security
Labels:

Support reference count:
6
Symptom Severity:
Severity 3 - Minor
UIS:
61
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

DISCLAIMER

Crowd IS NOT VULNERABLE to CVE-2022-42889.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Crowd does not use the vulnerable module org.apache.commons.text.StringSubstitutor

Issue Summary

Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889

Steps to Reproduce

Check <install-directory>/crowd-webapp/WEB-INF/lib/ for commons-text-X.X.jar

Expected Results

apache-common-text 1.10.0+ is expected

Actual Results

commons-text-1.9.jar (or earlier) is used

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

Attachments

Issue Links

is related to

CWD-5924 Upgrade Apache Commons-text for CVE-2022-42889

Closed

relates to

CONFSERVER-81048 Upgrade Apache Commons-text for CVE-2022-42889

Closed

JRASERVER-74501 Upgrade Apache Commons-text for CVE-2022-42889

Needs Triage

causes: KRAK-4903 Loading...

is cloned by: KRAK-4873 Loading...

mentioned in: Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Cole Aronson

Votes:: 31 Vote for this issue

Watchers:: 27 Start watching this issue

Dates

Created:: 17/Nov/2022 4:05 PM

Updated:: 08/Dec/2023 10:24 AM

Resolved:: 13/Feb/2023 8:24 AM