Security Advisories

This page lists all the security vulnerabilities fixed in released versions of the PlantUML for Confluence app. 

If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, please report them privately to the PlantUML Developer Team. Thank you.

 

Critical vulnerability in Apache Log4j (Log4Shell, CVE-2021-44228, CVE-2021-45046)

The PlantUML for Confluence app was not affected by the Log4Shell vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://nvd.nist.gov/vuln/detail/CVE-2021-45046.

The plugin is not using log4j2 for logging nor it bundles the log4j library.

Critical vulnerability in Spring Framework (Spring4Shell, CVE-2022-22965)
The PlantUML for Confluence app use the spring components provided by Confluence and may be affected by https://nvd.nist.gov/vuln/detail/CVE-2022-22965 if your Confluence instance itself meets the criteria outlined by Atlassian in https://confluence.atlassian.com/kb/faq-for-cve-2022-22963-cve-2022-22965-1115149136.html. You should follow the guide provided by Atlassian to check and fix your Confluence Server, a separate action for our apps is not needed

Critical vulnerability in Apache Commons Text (CVE-2022-42889)

The PlantUML for Confluence app was not affected by the Apache Commons Text variable interpolation CVE-2022-42889.

The plugin is not using Apache Commons Text variable interpolation. It has only a transitive dependency to the library because of Confluence (com.atlassian.confluence:confluence:jar).

 

The PlantUML for Confluence app is using the following third party components:

  • org.apache.xmlgraphics:batik-constants

  • org.apache.xmlgraphics:batik-svggen

  • org.jsoup:jsoup

  • net.sourceforge.plantuml:plantuml

  • com.google.code.gson:gson

  • org.apache.xmlgraphics:batik-util

  • org.apache.xmlgraphics:batik-i18n

  • org.scilab.forge:jlatexmath

  • org.apache.xmlgraphics:batik-awt-util

The Maven POM lists the detailed versions of the third party components.

The native graphviz package is not bundled by this app.

Security Vulnerabilities