Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 8.20.30, 9.4.15, 9.12.2, 9.13.0
Affects Version/s: 8.20.0, 9.4.0, 9.12.0
Component/s: Security, Tomcat
Labels:

Introduced in Version:
8.2
CVSS Score:
7.5
Support reference count:
15
Symptom Severity:
Severity 3 - Minor
UIS:
29

Issue Summary

Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a newer version to fix CVE-2023-46589

Jira 9.0.x to 9.12 currently come bundled with a version of Tomcat which is vulnerable.
Jira 8.x.x currently come bundled with a version of Tomcat which is vulnerable.

Tomcat versions bundles with Jira can be found in our Bundled Tomcat and Java versions article

This is reproducible on Data Center:

Steps to Reproduce

Check the Apache Tomcat version

Expected Results

LTS and new versions of Jira include Apache Tomcat version 9.0.83 and later

Actual Results

Apache Tomcat version 9.0.82 and earlier

Workaround

To mitigate the issue, it is possible to manually upgrade Apache Tomcat by following the process described in the KB article below but please note that this will place the application in an unsupported state:

How to upgrade Apache Tomcat version used by Jira

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Jira running over unofficial Tomcat versions.

duplicates

JSWSERVER-25502 Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

Published

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Assignee:: Steve Watson
Reporter:: Allan O'Rourke
Votes:: 2 Vote for this issue
Watchers:: 19 Start watching this issue

Created:: 03/Dec/2023 11:55 PM
Updated:: 22/Apr/2024 4:47 AM
Resolved:: 02/Jan/2024 2:04 PM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Activity

People

Dates