Upgrade Tomcat to fix CVE-2023-46589

h3. Issue Summary
Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a newer version to fix [CVE-2023-46589|https://nvd.nist.gov/vuln/detail/CVE-2023-46589]

• Jira 9.0.x to 9.12 currently come bundled with a version of Tomcat which is vulnerable.
• Jira 8.x.x currently come bundled with a version of Tomcat which is vulnerable.

Tomcat versions bundles with Jira can be found in our [Bundled Tomcat and Java versions|https://confluence.atlassian.com/jiracore/bundled-tomcat-and-java-versions-1013854250.html] article

This is reproducible on Data Center: (/)

h3. Steps to Reproduce

• Check the Apache Tomcat version

h3. Expected Results

• LTS and new versions of Jira include Apache Tomcat version 9.0.83 and later

h3. Actual Results

• Apache Tomcat version 9.0.82 and earlier

h3. Workaround
To mitigate the issue, it is possible to manually upgrade Apache Tomcat by following the process described in the KB article below but please note that this will place the application in an {}unsupported state{}:

• [How to upgrade Apache Tomcat version used by Jira|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html]

{}WARNING{}: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Jira running over unofficial Tomcat versions.