Details
-
Bug
-
Resolution: Fixed
-
High
-
8.20.0, 9.4.0, 9.12.0
-
8.2
-
7.5
-
15
-
Severity 3 - Minor
-
29
-
Description
Issue Summary
Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a newer version to fix CVE-2023-46589
- Jira 9.0.x to 9.12 currently come bundled with a version of Tomcat which is vulnerable.
- Jira 8.x.x currently come bundled with a version of Tomcat which is vulnerable.
Tomcat versions bundles with Jira can be found in our Bundled Tomcat and Java versions article
This is reproducible on Data Center:
Steps to Reproduce
- Check the Apache Tomcat version
Expected Results
- LTS and new versions of Jira include Apache Tomcat version 9.0.83 and later
Actual Results
- Apache Tomcat version 9.0.82 and earlier
Workaround
To mitigate the issue, it is possible to manually upgrade Apache Tomcat by following the process described in the KB article below but please note that this will place the application in an unsupported state:
WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Jira running over unofficial Tomcat versions.