CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.8%
h3. DISCLAIMER
{panel:bgColor=#e3fcef}
(!) Confluence {}IS NOT VULNERABLE to [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]{}.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Confluence does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}
{panel}
h3. Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]
h3. Steps to Reproduce
Check org.apache.commons -> commons-text version on {{pom.xml}}
h3. Expected Results
apache-common-text 1.10.0+ is expected
h3. Actual Results
apache-common-text 1.9 (or earlier) is used
h3. Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available
Vendor | Product | Version | CPE |
---|---|---|---|
atlassian | confluence_data_center | * | cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* |