Upgrade Apache Commons-text for CVE-2022-42889

2022-11-1716:05:18

caronson

jira.atlassian.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.972 High

EPSS

Percentile

99.8%

JSON

h3. DISCLAIMER
{panel:bgColor=#e3fcef}
(!) Crowd {}IS NOT VULNERABLE to [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]{}.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Crowd does not use the vulnerable module {{org.apache.commons.text.StringSubstitutor}}
{panel}
h3. Issue Summary

Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on [CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889]
h3. Steps to Reproduce

Check <install-directory>/crowd-webapp/WEB-INF/lib/ for commons-text-X.X.jar
h3. Expected Results

apache-common-text 1.10.0+ is expected
h3. Actual Results

commons-text-1.9.jar (or earlier) is used
h3. Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

CPENameOperatorVersion
crowd data centerle4.3.5
crowd data centerle5.0.0
crowd data centerlt4.4.5
crowd data centerlt5.1.2
crowd data centerlt5.0.5
crowd data centerlt4.3.11