Atlassian fixes high risk vulnerabilitites in Confluence, Jira & Co.

Atlassian has released updates for Bamboo, Confluence, and Jira that are intended to seal security gaps in the products that are classified as high risk. IT managers should download and apply the updates promptly.

In the overview of Atlassian's April updates, the developers provide details of the vulnerabilities. Bamboo contains a denial-of-service vulnerability due to the third-party component Netplex Json-smart (CVE-2024-57699, CVSS 7.5, risk “high”). Confluence is also vulnerable to a denial of service situation due to the “io.netty” component (CVE-2025-24970, CVSS 7.5, risk “high”). In addition, attackers can abuse an XML External Entity Injection vulnerability (XXE) in the library “org.codehaus.jackson:jackson-mapper-asl” – the vulnerability appears to be well-hung and has a vulnerability entry from 2019 (CVE-2019-10172, CVSS 7.5, risk “high”).

Atlassian: Further security vulnerabilities

Another XXE vulnerability affects Jira (CVE-2021-33813, CVSS 7.7, risk “high”). Attackers can also trigger a denial of service situation due to a vulnerability in the “net.minidev.json-smart” library (CVE-2024-57699, CVSS 7.5, risk “high”). Jira Service Management also contains an XXE vulnerability (CVE-2021-33813, CVSS 7.7, risk “high”) and shares the vulnerability in the “net.minidev.json-smart” library with Jira.

Different development branches of the software are affected, but Atlassian provides the following versions to correct the security-relevant errors:

• Bamboo Data Center and Server 10.2.3 (LTS) as well as 9.6.11 and 9.6.12 (LTS)
• Confluence Data Center and Server 9.4.0, 9.2.3 (LTS) and 8.5.21 (LTS)
• Jira Data Center and Server 10.5.1, 10.3.5 (LTS) and 9.12.22 (LTS)
• Jira Service Management Data Center and Server 10.5.1, 10.3.5 (LTS) and 5.12.22 (LTS)

In February, Atlassian also released updates to fix high-risk vulnerabilities. In addition to Bamboo, Bitbucket and Jira were also impacted by the vulnerabilities.

(dmk)