Upgrade Apache Commons-text to mitigate CVE-2022-42889 (excludes bundled OpenSearch)

h3. DISCLAIMER
{panel:title=Bundled OpenSearch|borderStyle=solid|borderColor=#3c78b5|titleBGColor=#3c78b5|bgColor=#e7f4fa}
This issues only covers commons-text usages in the Bitbucket WebApp, not the bundled OpenSearch. To track the upgrade of OpenSearch to a version that contains an updated commons-text dependency please refer to BSERV-13588.
{panel}
{panel:bgColor=#e3fcef}
(!) {}No exploit through Bitbucket has been discovered, nor has a codepath where the vulnerable class is used been identified. However common-text should be updated as a precaution and to avoid Bitbucket being flagged by vulnerability scanners which will identify the vulnerable commons-text library{}.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Bitbucket DC does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}

Apache commons-text is used by:

• {{com.atlassian.plugins:atlassian-nav-links-plugin}}

** only org.apache.commons.text.StringEscapeUtils{panel}
h3. Issue Summary

Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]