A critical security vulnerability (CVE-2022-42889) was discovered in the Apache Commons Text including version 1.5 up to 1.9 on 13 November 2022.

Impact on Atlassian Products

There is an official statement from Atlassian for Confluence.

Confluence IS NOT VULNERABLE to CVE-2022-42889.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Confluence does not use the vulnerable module org.apache.commons.text.StringSubstitutor

Source: https://jira.atlassian.com/browse/CONFSERVER-81048

The same is true for Jira: https://jira.atlassian.com/browse/JRASERVER-74501

Impact on Seibert Media Products

Regarding the official statement from Apache, we made sure our apps do not use the affected Commons class and be therefore not vulnerable for CVE-2022-42889. 

Seibert Media apps from Atlassian's Marketplace including all joint venture apps

Data Center and Server Apps

  • Not affected. No action is required.

Cloud Apps

  • Not affected. No action is required.
Linchpin Hey

Not affected. No action is required.


Shortlink for this page: https://seibert.biz/cve-2022-42889

  • No labels
This page was last edited on 08/20/2024.