Impact on Atlassian Products
There is an official statement from Atlassian for Confluence.
Confluence IS NOT VULNERABLE to CVE-2022-42889.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Confluence does not use the vulnerable module org.apache.commons.text.StringSubstitutor
The same is true for Jira: https://jira.atlassian.com/browse/JRASERVER-74501
Impact on Seibert Media Products
Regarding the official statement from Apache, we made sure our apps do not use the affected Commons class and be therefore not vulnerable for CVE-2022-42889.
|Seibert Media apps from Atlassian's Marketplace including all joint venture apps|
Data Center and Server Apps
Not affected. No action is required.
Shortlink for this page: https://seibert.biz/cve-2022-42889