Is All Pull Requests plugin for Bitbucket DC affected by Spring4Shell vulnerability (CVE-2022-22965)

mendhak / bitbucket-all-pull-requests

Plugin to show all pull requests in Bitbucket Server.

BSD 3-Clause "New" or "Revised" License

9 stars 5 forks source link

Is All Pull Requests plugin for Bitbucket DC affected by Spring4Shell vulnerability (CVE-2022-22965) #5

Closed shafemoh closed 2 years ago

shafemoh commented 2 years ago

Hi, We are using All Pull Requests plugin v1.9 for Bitbucket DC (v7.17.1) but we would need your confirmation whether this plugin has got any impact due to security vulnerability - GHSA-36p3-wjmg-h94x (Spring4Shell)?

Regards, Shafeeq

mendhak commented 2 years ago

This plugin itself shouldn't be. You'll instead want to look at the Atlassian advisories regarding Bitbucket Server

https://confluence.atlassian.com/kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html

Which says

The following self-managed products use impacted versions of Spring but are not vulnerable to any known exploit: Bitbucket Server and Data Center

shafemoh commented 2 years ago

okay thanks for confirmation. closing the request.