Atlassian publikuje poprawki do swoich produktów 12/25 (P25-448)

utworzone przez | gru 16, 2025 | Aktualizacje, Podatności

11 grudnia 2025 r. firma Atlassian opublikowała ostrzeżenie dotyczące bezpieczeństwa w celu usunięcia luk w następujących produktach:

• Bamboo Data Center i Server – wiele wersji

• Bitbucket Data Center i Server – wiele wersji

• Confluence Data Center i Server – wiele wersji

• Crowd Data Center i Server – wiele wersji

• Fisheye/Crucible – wersje od 4.9.0 do 4.9.5, wersje od 4.8.14 do 4.8.16

• Jira Data Center i Server – wiele wersji

• Jira Service Management Data Center i Server – wiele wersji

ProduktWersja podatnaAktualizacjaOpisCVE IDCVSS Krytyczność
Bamboo Data Center and Server12.0.1 10.2.0 to 10.2.11 (LTS) 9.6.1 to 9.6.19 (LTS)12.0.2 Data Center Only 10.2.12 (LTS) recommended Data Center Only 9.6.20 (LTS) Data Center OnlyXXE (XML External Entity Injection) Tika Dependency Vulnerability in Bamboo Data Center and ServerCVE-2025-6651610 Krytyczna
DoS (Denial of Service) org.apache.tomcat:tomcat-util Dependency Vulnerability in Bamboo Data Center and ServerCVE-2025-524347.5 Wysoka
Bitbucket Data Center and Server9.1.0 to 9.1.1 9.0.1 8.19.0 to 8.19.24 (LTS) 8.18.0 to 8.18.110.1.1 to 10.1.3 Data Center Only 10.0.0 to 10.0.2 Data Center Only 9.4.0 to 9.4.15 (LTS) recommended Data Center Only 8.19.25 to 8.19.26 (LTS) Data Center OnlyDoS (Denial of Service) com.google.protobuf:protobuf-java Dependency in Bitbucket Data Center and ServerCVE-2024-72548.7 Wysoka
Confluence Data Center and Server10.2.0 (LTS) 10.1.0 to 10.1.2 10.0.2 to 10.0.3 9.5.1 to 9.5.4 9.4.0 to 9.4.1 9.3.1 to 9.3.2 9.2.0 to 9.2.11 (LTS) 9.1.0 to 9.1.1 9.0.1 to 9.0.3 8.9.0 to 8.9.8 8.8.0 to 8.8.1 8.5.5 to 8.5.29 (LTS) 7.19.18 to 7.19.30 (LTS)10.2.1 (LTS) recommended Data Center Only 9.2.12 (LTS) Data Center Only 8.5.30 (LTS)XXE (XML External Entity Injection) Tika Dependency Vulnerability in Confluence Data Center and ServerCVE-2025-6651610 Krytyczna
Prototype Pollution loader-utils Dependency Vulnerability in Confluence Data Center and ServerCVE-2022-376019.8 Krytyczna
SSRF (Server-Side Request Forgery) in Confluence Data Center and ServerCVE-2024-294158.1 Wysoka
File Inclusion tar-fs Dependency in Confluence Data Center and ServerCVE-2024-129057.5 Wysoka
DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and ServerCVE-2022-375997.5 Wysoka
DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and ServerCVE-2022-376037.5 Wysoka
Crowd Data Center and Server7.1.0 to 7.1.1 7.0.0 to 7.0.2 6.3.0 to 6.3.3 6.2.0 to 6.2.6 6.1.0 to 6.1.7 6.0.0 to 6.0.10 5.3.0 to 5.3.8 5.2.2 to 5.2.11 5.1.7 to 5.1.137.1.2 recommended Data Center OnlyXXE (XML External Entity Injection) Tika Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-6651610 Krytyczna
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-core Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-529998.7 Wysoka
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-551638.2 Wysoka
Improper Authorization org.springframework.security:spring-security-core Dependency in Crowd Data CenterCVE-2025-412487.5 Wysoka
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency Vulnerability in Crowd Data Center and ServerCVE-2025-489897.5 Wysoka
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency Vulnerability in Crowd Data CenterCVE-2020-365187.5 Wysoka
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2021-468777.5 Wysoka
DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2022-420047.5 Wysoka
Information Disclosure com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and ServerCVE-2024-130097.2 Wysoka
Fisheye/Crucible4.9.0 to 4.9.5 4.8.14 to 4.8.164.9.6 recommendedXXE (XML External Entity Injection) Tika Dependency Vulnerability in Crucible Server and Fisheye ServerCVE-2025-6651610 Krytyczna
Improper Input Validation in MSSQL JDBC driver in Crucible Server and Fisheye ServerCVE-2025-592508.1 Wysoka
Jira Data Center and Server11.2.0 to 11.2.1 11.1.0 to 11.1.1 11.0.0 to 11.0.1 10.3.0 to 10.3.14 (LTS) 9.12.1 to 9.12.30 (LTS)11.3.0 (LTS) recommended Data Center Only 10.3.15 (LTS) Data Center OnlyXXE (XML External Entity Injection) Tika Dependency in Jira Software Data Center and ServerCVE-2025-6651610 Krytyczna
Prototype Pollution zrender Dependency in Jira Software Data Center and ServerCVE-2021-392279.8 Krytyczna
XXE (XML External Entity Injection) in Jira Software Data Center and ServerCVE-2025-549888.4 Wysoka
DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Software Data Center and ServerCVE-2016-11828.2 Wysoka
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Jira Software Data Center and ServerCVE-2025-551638.2 Wysoka
RCE (Remote Code Execution) in Jira Software Data Center and ServerCVE-2016-11818.1 Wysoka
SSRF (Server Side Request Forgery) axios Dependency in Jira Software Data Center and ServerCVE-2025-271527.7 Wysoka
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and ServerCVE-2025-412487.5 Wysoka
DoS (Denial of Service) commons-fileupload:commons-fileupload Dependency in Jira Software Data Center and ServerCVE-2025-489767.5 Wysoka
DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Software Data Center and ServerCVE-2024-216347.5 Wysoka
DoS (Denial of Service) minimatch Dependency in Jira Software Data Center and ServerCVE-2022-35177.5 Wysoka
DoS (Denial of Service) axios Dependency in Jira Software Data Center and ServerCVE-2025-587547.5 Wysoka
XXE (XML External Entity Injection) in Jira Software Data Center and ServerCVE-2023-497357.5 Wysoka
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency Vulnerability in Jira Software Data Center and ServerCVE-2022-456937.5 Wysoka
Prototype Pollution loadash.pick Dependency Vulnerability in Jira Software Data Center and ServerCVE-2020-82037.4 Wysoka
Jira Service Management Data Center and Server11.2.0 to 11.2.1 11.1.0 to 11.1.1 11.0.0 to 11.0.1 10.3.0 to 10.3.14 (LTS)11.3.0 (LTS) recommended Data Center Only 10.3.15 (LTS) Data Center OnlyXXE (XML External Entity Injection) Tika Dependency in Jira Service Management Data Center and ServerCVE-2025-6651610 Krytyczna
Prototype Pollution zrender Dependency in Jira Service Management Data Center and ServerCVE-2021-392279.8 Krytyczna
XXE (XML External Entity Injection) in Jira Service Management Data Center and ServerCVE-2025-549888.4 Wysoka
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Jira Service Management Data Center and ServerCVE-2025-551638.2 Wysoka
DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Service Management Data Center and ServerCVE-2016-11828.2 Wysoka
RCE (Remote Code Execution) in Jira Service Management Data Center and ServerCVE-2016-11818.1 Wysoka
XXE (XML External Entity Injection) in Jira Service Management Data Center and ServerCVE-2023-497357.5 Wysoka
Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Service Management Data Center and ServerCVE-2025-412487.5 Wysoka
DoS (Denial of Service) minimatch Dependency in Jira Service Management Data Center and ServerCVE-2022-35177.5 Wysoka
DoS (Denial of Service) axios Dependency in Jira Service Management Data Center and ServerCVE-2025-587547.5 Wysoka
Prototype Pollution loadash.pick Dependency Vulnerability in Jira Service Management Data Center and ServerCVE-2020-82037.4 Wysoka