9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.972 High
EPSS
Percentile
99.8%
h3. DISCLAIMER
{panel:title=Bundled OpenSearch|borderStyle=solid|borderColor=#3c78b5|titleBGColor=#3c78b5|bgColor=#e7f4fa}
This issues only covers commons-text usages in the Bitbucket WebApp, not the bundled OpenSearch. To track the upgrade of OpenSearch to a version that contains an updated commons-text dependency please refer to BSERV-13588.
{panel}
{panel:bgColor=#e3fcef}
(!) {}No exploit through Bitbucket has been discovered, nor has a codepath where the vulnerable class is used been identified. However common-text should be updated as a precaution and to avoid Bitbucket being flagged by vulnerability scanners which will identify the vulnerable commons-text library{}.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Bitbucket DC does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}
Apache commons-text is used by:
** only org.apache.commons.text.StringEscapeUtils{panel}
h3. Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.972 High
EPSS
Percentile
99.8%