We are using jira 8.13.18 server edittion of jira.
which intern uses 8.5.72 tomcat.
Are we affected ? should we upgrade to the corresponding LTS version.
Below is the explanation regarding the CVE for reference.
as per the CVE
CVE-2022-25762 Apache Tomcat - Request Mix-up
Vendor: The Apache Software Foundation
Apache Tomcat 9.0.0.M1 to 9.0.20
Apache Tomcat 8.5.0 to 8.5.75
If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.21 or later
- Upgrade to Apache Tomcat 8.5.76 or later
https://confluence.atlassian.com/kb/faq-for-cve-2022-22965-1115149136.html Atlassian is still looking into it. But based on the products completed in research it is not. This link will most likely be updated when needed.
This looks like a different CVE.
The one OP has linked is related to a Tomcat vulnerability.
👋 Hi there Jira Community! A few months ago we shared with you plans around renaming epics in your company-managed projects. As part of these changes, we highlighted upcoming changes to epics on...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events