A critical security vulnerability (CVE-2022-42889) was discovered in the Apache Commons Text including version 1.5 up to 1.9 on 13 November 2022.

Impact on Atlassian Products

There is an official statement from Atlassian for Confluence.

 Confluence IS NOT VULNERABLE to CVE-2022-42889.

This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

Confluence does not use the vulnerable module org.apache.commons.text.StringSubstitutor

Source: https://jira.atlassian.com/browse/CONFSERVER-81048

The same is true for Jira: https://jira.atlassian.com/browse/JRASERVER-74501

Impact on Seibert Media Products

Regarding the official statement from Apache, we made sure our apps do not use the affected Commons class and be therefore not vulnerable for CVE-2022-42889. 

Seibert Media apps from Atlassian's Marketplace including all joint venture apps

Data Center and Server Apps

  • Not affected. No action is required.

Cloud Apps

  • Not affected. No action is required.
Linchpin Hey

Not affected. No action is required.


Shortlink for this page: https://seibert.biz/cve-2022-42889

  • No labels

This content was last updated on 11/24/2022.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete. Please click this link if you want us to update this page. Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.