8.5 and 8.13 LTS releases should bundle Tomcat 8.5.63 or higher
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
h3. Issue Summary
The Apache Tomcat version used by the currently available LTS (Long Term Support) releases has a few vulnerabilities, therefore the next LTS release should bundle an updated version of Tomcat.
h3. Steps to Reproduce
Not applicable.
h3. Expected Results
- Not applicable.
h3. Actual Results
- Not applicable.
h3. Note on fix
Tomcat version will be bumped to version [8.5.65|https://tomcat.apache.org/tomcat-8.5-doc/changelog.html]
h3. Workaround
- You can manually upgrade the Apache Tomcat version used by Jira following the procedures outlined in the following article: [How to Upgrade Apache Tomcat version in Jira|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-in-jira-7-x-879957866.html].
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N