Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Does Atlassian bamboo server 7.2.4 use Apache Commons Text ver 1.5-1.9?(CVE-2022-42889)

Niraj Wagh October 17, 2022

Hi, does Atlassian Bamboo server version use Apache Commons Text?

Since a vulnerability is reported in CVE-2022-42889.

 

Thanks,

Niraj

1 answer

1 accepted

1 vote
Answer accepted
Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 17, 2022

Hello @Niraj Wagh

Bamboo 8.0 and 9.0 series uses Apache Commons Text v1.9.

Bamboo 7.2 uses Apache Commons Text v1.1.

As of today, 18/10/2022, Atlassian is currently evaluating if Bamboo is vulnerable to CVE-2022-42889. We don't have much information to disclose at this stage and/or if a patch is going to be published.

Update 19/10/2022: Bamboo is not vulnerable to CVE-2022-42889 as it does not use the StringSubstitutor module of commons-text. We will obviously bump the dependency to 1.10.0 in the next point release.

If you have a valid Bamboo subscription and you prefer having a more directed approach, you can subscribe your account to our Security Advisories mailing list. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email under "Tech Alerts".

You can find more information on how we deal with Security Advisories here:

Here's the official page on Bamboo vulnerabilities:

To find the version of bundled software in Bamboo, please check the following KB article:

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

Niraj Wagh October 18, 2022

Hi @Eduardo Alvarenga, I have downloaded the .pom file for Bamboo 7.2.4 using the third document link mentioned in your answer. (https://packages.atlassian.com/maven/repository/public/com/atlassian/bamboo/atlassian-bamboo/7.2.4/atlassian-bamboo-7.2.4.pom)

In the .pom file, I checked for commons-text, and the version mentioned there is 1.1.

<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.1</version>
</dependency>

 

Does that mean Bamboo server 7.2.4 uses Apache commons-text 1.1?

Thanks,

Niraj

Eduardo Alvarenga
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 18, 2022

Hey @Niraj Wagh

Yes! You are right. Apache Commons Text 1.9 was introduced only on Bamboo 8.0. Apologies for that. I have amended my comment.

Answering your question, Bamboo 7.2.4 comes with Apache Commons Text 1.1.

Kind regards,

Eduardo Alvarenga
Atlassian Support APAC

--please don't forget to Accept the answer if the reply is helpful-- 

Niraj Wagh October 18, 2022

Hi @Eduardo Alvarenga 

Thanks for answering.

 

Thanks,

Niraj

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events