Cf063312d081JRASERVER-76250Upgrade Tomcat to fix CVE-2023-41080
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
64.6%
h3. Problem
Apache Tomcat should be upgraded to 9.0.80 or a later version to fix [CVE-2023-41080|https://nvd.nist.gov/vuln/detail/CVE-2023-41080]
h3. Environment
- Jira v9.11
h3. Steps to Reproduce
- Current bundled Tomcat version is Tomcat 9.0.75 which is vulnerable to CVE-2023-41080. Upgrade Tomcat to version v9.0.80 to fix this vulnerability.
h3. Workaround
At your own risk, you can manually upgrade Tomcat as instructed on this KB:
- [How to upgrade Apache Tomcat version used by Jira|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html]
{}WARNING{}: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Jira running over unofficial Tomcat versions.
h3. Notes
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| jira data center | le | 9.11.0 | |
| jira data center | lt | 9.12.0 | |
| jira data center | lt | 9.4.11 | |
| jira data center | lt | 9.11.2 |
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
64.6%