Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Is Crucible/Fisheye v4.8.13/4.8.14 vulnerable to CVE-2022-22978?

Kirk Williams
August 9, 2023

Our Tenable scan has flagged our recent upgrade to Crucible/Fisheye 4.8.13/4.8.14 for containing a Sprint Security verision prior to 5.5.7 or 5.6.x prior to 5.6.4.

Docker container running on RHEL7.

Flagged file:

/var/lib/docker/overlay2/xxxx/merged/atlassian/apps/crucible/lib/spring-security-core-3.2.5.RELEASE.jar.

It is recommended the version be upgraded from 3.2.5 to 5.5.7.

Is Crucible impacted by this CVE?  Will there be an update to the latest image for this issue in the near future?

1 answer

0 votes
Martin Runge
Community Champion
June 25, 2026

Hi @Kirk Williams

I did some short research. From my perspective, Crucible does not configure or expose the specific vulnerable code pathways required to exploit this defect. The flag is purely based on the version number of the Spring package.

Also, no advisory was issued for Fisheye/Crucible regarding CVE-2022-22978 on the Atlassian Security Advisories platform, confirming it is non-exploitable in this context.

It is recommended the version be upgraded from 3.2.5 to 5.5.7.

Crucible's internal dependencies, like the spring-security-core JAR, cannot be manually replaced or upgraded, as doing so across major versions breaks the application framework and prevents startup. The only safe way to update these components is to upgrade Crucible to a newest release.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
4.8.14
TAGS
AUG Leaders

Atlassian Community Events