Upgrade Apache Commons-text for CVE-2022-42889

XMLWordPrintable

    • 2
    • Severity 3 - Minor

      Crowd IS NOT VULNERABLE to CVE-2022-42889.

      This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

      Crowd does not use the vulnerable module org.apache.commons.text.StringSubstitutor

      Issue Summary

      This is a continuation of CWD-5892 as it has been identified that the versions containing the fix for the original bug report still contain a plugin used by Crowd which has the affected dependency. This bug was raised to allow customers to track once a version without this dependency is released.

      Steps to Reproduce

      The affected library commons-text-1.9.jar can still be found in the caches directory after starting Crowd 5.1.2 (and others):

      atlassian-crowd-5.1.2/caches/felix/felix-cache/bundle32/version0.0/atlassian-oauth-service-provider-plugin-5.0.0.jar-embedded/META-INF/lib/commons-text-1.9.jar

      Expected Results

      apache-common-text 1.10.0+ is expected

      Actual Results

      commons-text-1.9.jar is still used by bundled plugins

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Unassigned
            Reporter:
            B Cavalcante (Inactive)
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: