-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
8.11.0, 8.12.0, 8.5.8
-
8.05
-
14
-
Severity 2 - Major
-
59
-
Issue Summary
The recently disclosed vulnerability regarding Apache Tomcat
affects the following versions:
Apache Tomcat 8.x from 8.5.1 to 8.5.56
Apache Tomcat 9.x from 9.0.0.M5 to 9.0.36
Apache Tomcat 10.x from 10.0.0-M1 to 10.0.0-M6
Additionally, the following disclosed vulnerability regarding Tomcat:
affects the following versions:
Apache Tomcat 7.x from 7.0.27 to 7.0.104
Apache Tomcat 8.x from 8.5.1 to 8.5.56
Apache Tomcat 9.x from 9.0.0.M5 to 9.0.36
Apache Tomcat 10.x from 10.0.0-M1 to 10.0.0-M6
We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
Steps to Reproduce
- Check the CVE reports:
Expected Results
- Not applicable.
Actual Results
- Not applicable.
Workaround
- Manually upgrade Tomcat according to our documentation.
- incorporates
-
-
- Closed
-
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
- blocks
-
PS-62845 You do not have permission to view this issue
- mentioned in
-
Page Failed to load
[JRASERVER-71321] Upgrade the bundled version of Apache Tomcat to 8.5.57
There are also two other vulnerabilities that affect Tomcat used in Jira
- CVE-2020-11996 Affect Tomcat 8.5.0 to 8.5.55 CVE-2020-11996
- CVE-2019-12418 Affect Tomcat 8.5.0 to 8.5.47 CVE-2019-12418
We need a long term supported version 8.5.7 ASAP
Thanks, Luca
This is critical for us and needs to be in 8.5 the enterprise release.
Is there a plan for this?
This affects Confluence 7.6 also. This vulnerability was published a month ago and has CVSS3 score of 7.5 High. Can we please get an update on when this will be fixed or some kind of document on if this affects Confluence and Jira and if so how to mitigate the issue?