Atlassian security updates: Bamboo and Confluence are vulnerable

To prevent attackers from exploiting several security vulnerabilities in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server, and Crowd Data Center and Server, admins should install the now available patches immediately.

Various dangers

As Atlassian lists on its website's security section, three security vulnerabilities in the Apache Tika (CVE-2025-66516), sha.js (CVE-2025-9288), and cipher-base (CVE-2025-9287) components are considered "critical". If attacks are successful in these areas, attackers can manipulate data. However, in one case, a victim must open a prepared PDF file. So far, there are no reports that attackers are already exploiting the vulnerabilities.

Following successful attacks on the remaining vulnerabilities, attackers can, among other things, cause services to crash (Denial of Service, DoS; for example, CVE-2022-25883 "high") and thus paralyze them, or even execute malicious code remotely (CVE-2025-48734 "high"). The following versions are protected against the described attacks:

• Bamboo Data Center and Server 12.1.2 (LTS) recommended Data Center Only, 10.2.14 to 10.2.15 (LTS) Data Center Only
• Confluence Data Center and Server 9.2.14 (LTS) Data Center Only, 9.2.15 recommended (LTS) Data Center Only, 10.2.3 (LTS) Data Center Only, 10.2.6 (LTS) recommended Data Center Only,
• Crowd Data Center and Server 7.1.4 recommended Data Center Only

(des)