Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.3.5, 5.0.0
-
6
-
Severity 3 - Minor
-
61
-
Description
DISCLAIMER
Crowd IS NOT VULNERABLE to CVE-2022-42889.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Crowd does not use the vulnerable module org.apache.commons.text.StringSubstitutor
Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889
Steps to Reproduce
Check <install-directory>/crowd-webapp/WEB-INF/lib/ for commons-text-X.X.jar
Expected Results
apache-common-text 1.10.0+ is expected
Actual Results
commons-text-1.9.jar (or earlier) is used
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- is related to
-
CWD-5924 Upgrade Apache Commons-text for CVE-2022-42889
- Closed
- relates to
-
CONFSERVER-81048 Upgrade Apache Commons-text for CVE-2022-42889
- Closed
-
JRASERVER-74501 Upgrade Apache Commons-text for CVE-2022-42889
- Needs Triage
- causes
-
KRAK-4903 Loading...
- is cloned by
-
KRAK-4873 Loading...
- mentioned in
-
Page Loading...