heise PlusAbo

Security Patches Atlassian: Bamboo, Confluence & Co. are vulnerable

DoS and malware security vulnerabilities, among others, threaten Atlassian applications. Admins should install the patches promptly.

listen Print view
A symbolic update button on a keyboard.

(Image: Tatiana Popova/Shutterstock.com)

2 min. read
Security
By

Attackers can exploit several software vulnerabilities, including those in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server, and Jira Data Center and Server, potentially leading to complete compromise of affected systems in the worst-case scenario. Security updates are available.

So far, the software manufacturer has not issued any warnings that attackers are already exploiting the vulnerabilities. However, this can change quickly, so admins should react soon. The versions equipped against the attacks described below are listed at the end of this report.

Different Dangers

In the security section of its website, Atlassian has listed the now-closed security vulnerabilities and the specifically threatened versions. The most dangerous is considered a “critical” vulnerability (CVE-2026- 22732) in the Spring Security framework, which Jira Data Center and Server uses. At this point, attackers can exploit instances in the context of HTTP headers and access data that should actually be isolated. How such an attack could be carried out specifically is not yet known.

The remaining vulnerabilities are all classified as “high” threat level. Here, attackers can execute malicious code remotely, for example, within the scope of Fisheye/Crucible (e.g., CVE-2026-27830). If attackers successfully exploit Confluence Data Center and Server, it can lead to crashes (CVE-2026-29062) or data leaks (CVE-2026-29146).

Videos by heise

The developers assure that the errors have been fixed in the following versions:

  • Bamboo Data Center and Server 12.1.7 (LTS) recommended Data Center Only, 10.2.19 (LTS) Data Center Only, 9.6.26 (LTS) Data Center Only
  • Bitbucket Data Center and Server 10.2.2 to 10.2.3 (LTS) recommended Data Center Only, 9.4.19 to 9.4.20 (LTS) Data Center Only
  • Confluence Data Center and Server 10.2.11 (LTS) recommended Data Center Only, 9.2.20 (LTS) Data Center Only
  • Fisheye/Crucible 4.9.10 recommended
  • Jira Data Center and Server 11.3.5 to 11.3.6 (LTS) recommended Data Center Only, 10.3.20 to 10.3.21 (LTS) Data Center Only, 9.12.35 (LTS)
  • Jira Service Management Data Center and Server 11.3.5 to 11.3.6 (LTS) recommended Data Center Only, 10.3.20 to 10.3.21 (LTS) Data Center Only

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten