Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-21486

CVE-2022-22970 and CVE-2022-22971 on JIRA spring-core-5.3.10.jar

    • Icon: Suggestion Suggestion
    • Resolution: Duplicate
    • None
    • Security
    • None
    • 33
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem:

      Jira is working with the version of the spring framework spring-core-5.0.10. This spring framework is vulnerable to CVE-2022-22970 and CVE-2022-22971

      Suggested Solution

      The remediation  for these CVE's are update the spring framework library. The recommendation is updating to the version 5.3.21.

      Why This Is Important

      Security team and scanners raised concerns 

      Workaround

      None available 

            [JSWSERVER-21486] CVE-2022-22970 and CVE-2022-22971 on JIRA spring-core-5.3.10.jar

            Andrzej Kotas added a comment - Duplicate of https://jira.atlassian.com/browse/JRASERVER-74776

            I see the same issue was remediated in Bamboo BAM-21851, and Confluence CONFSERVER-79940 (pending release) so I was wondering when it will be remediated in Jira too.

            Stuart Williamson added a comment - I see the same issue was remediated in Bamboo BAM-21851 , and Confluence CONFSERVER-79940 (pending release) so I was wondering when it will be remediated in Jira too.

            Hello Team, 

            About this, the vulnerabilties are 

            https://tanzu.vmware.com/security/cve-2022-22971
            https://tanzu.vmware.com/security/cve-2022-22970

             

            I took look the library in Jira 8.20.13 and I could see the spring framework in 5.3.19:

             

            <jira_instrall>/atlassian-jira/WEB-INF/lib/spring-core-5.3.19.jar

             

             

            Juan Pablo Hernandez added a comment - Hello Team,   About this, the vulnerabilties are  https://tanzu.vmware.com/security/cve-2022-22971 https://tanzu.vmware.com/security/cve-2022-22970   I took look the library in Jira 8.20.13 and I could see the spring framework in 5.3.19:   <jira_instrall>/atlassian-jira/WEB-INF/lib/spring-core-5.3.19.jar    

              Unassigned Unassigned
              2ff873c3be7d Roman Ventura (Inactive)
              Votes:
              19 Vote for this issue
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: