Upgrade Tomcat to fix CVE-2023-46589

h3. Issue Summary
This is reproducible on Data Center: (/)

Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a later version to fix [CVE-2023-46589|https://nvd.nist.gov/vuln/detail/CVE-2023-46589].

h3. Environment

• From Confluence 6.10.0, which comes with Apache 9.0.8, up to
• Confluence 8.7.1, which comes with Apache 9.0.82

These are Tomcat versions affected by CVE-2023-46589.

h3. Steps to Reproduce

• Check the [Apache Tomcat version bundled with Confluence|https://confluence.atlassian.com/doc/bundled-tomcat-and-java-versions-1005786018.html]

h3. Expected Results

• Confluence Apache Tomcat version 9.0.83 and later

h3. Actual Results

• Apache Tomcat version 9.0.82 and earlier

h3. Workaround
To mitigate the issue, it is possible to manually upgrade Apache Tomcat by following the process described in the KB article below but please note that this will place the application in an {}unsupported state{}:

• [How to Upgrade The Tomcat Container for Confluence|https://confluence.atlassian.com/confkb/how-to-upgrade-the-tomcat-container-for-confluence-336757062.html]

{}WARNING{}: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Confluence running over unofficial Tomcat versions.