Hi
Our vulnerability scanner flagged tomcat as an issue, which i believe is part of the bamboo install.
Is there a patch?
were are running bamboo-8.0.6
thanks,
-mg
Hello @Miguel Gusils
If you are referring to CVE-2020-9484/CVE-2022-23181, those are being addressed by the following BAM:
Due to its nature, it is classified as internal-only.
A fix will be released in a few days with Bamboo 8.2 bundling Tomcat 8.5.75. Please keep an eye on the Bamboo release notes. You can also watch the Bamboo Announcements community page to be notified once a release is available.
Kind regards,
Eduardo Alvarenga
Atlassian Support APAC
Eduardo,
Bamboo 8.2.1 has released but there is no description about these CVEs in the fix list.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Chihara,
As mentioned before, https://jira.atlassian.com/browse/BAM-21603 is an internal ticket and will not be mentioned to the public. I can confirm the fix for the CVE has been published and is available on Bamboo 8.2.1.
You can validate the embedded Tomcat version in Bamboo by following this KB:
Cheers,
Eduardo Alvarenga
Atlassian Support APAC
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.