Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5924

Upgrade Apache Commons-text for CVE-2022-42889

XMLWordPrintable

      Crowd IS NOT VULNERABLE to CVE-2022-42889.

      This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

      Crowd does not use the vulnerable module org.apache.commons.text.StringSubstitutor

      Issue Summary

      This is a continuation of CWD-5892 as it has been identified that the versions containing the fix for the original bug report still contain a plugin used by Crowd which has the affected dependency. This bug was raised to allow customers to track once a version without this dependency is released.

      Steps to Reproduce

      The affected library commons-text-1.9.jar can still be found in the caches directory after starting Crowd 5.1.2 (and others):

      atlassian-crowd-5.1.2/caches/felix/felix-cache/bundle32/version0.0/atlassian-oauth-service-provider-plugin-5.0.0.jar-embedded/META-INF/lib/commons-text-1.9.jar

      Expected Results

      apache-common-text 1.10.0+ is expected

      Actual Results

      commons-text-1.9.jar is still used by bundled plugins

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              Unassigned Unassigned
              6444c12a624d B Cavalcante
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: