We've been made aware of a security vulnerability in Tomcat v8.5.50, which Crowd v4.2.0 (that we're currently using) comes with. Has Tomcat been upgraded if we upgrade Crowd to v4.2.2?
Hi @abbeycode ,
Based on release note unfortunately, not yet
https://confluence.atlassian.com/crowd/crowd-4-2-release-notes-1019381976.html
Please, share the CVE- and I hope Atlassian security team will check the risks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can use this trick
https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html
I submitted support tickets to Atlassian for Crowd (with two CVEs) and Jira and Bamboo, with one CVE that wasn't patched until Tomcat v8.5.60.
Patched in v8.5.56: CVE-2020-11996
Patched in v8.5.60: CVE-2021-24122
Still have a question?
Get fast answers from people who know.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.