his is reproducible on Data Center: yes

• The current version of Tomcat 9.0.63 is bundled with Confluence 7.18.2 and Confluence 7.13.8 are vulnerable to CVE-2022-34305 [https://vulners.com/cve/CVE-2022-34305]

h3. Steps to Reproduce

-

h3. Expected Results

h3. Actual Results

h3. Workaround

Manually updating Tomcat would be a valid workaround, however, checking the Tomcat download link we can see that the latest available version is

• For Tomcat 9, 9.0.64 [http://archive.apache.org/dist/tomcat/tomcat-9/]
  So, not even Tomcat has released a version that has the fix for this CVE, looks like this vulnerability is currently undergoing analysis.

Opening a ticket to keep track of it on our side.

[Update from Jul 21, 2022]
Tomcat released the 9.0.65 version which contains the fix for this vulnerability (CVE-2022-34305):

• [Tomcat 9 - changelog|https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#:~:text=Examples. Fix-,CVE-2022-34305,-%2C a low severity]