Atlassian Patches Critical Apache Tika Flaw

Atlassian Patches Critical Apache Tika Flaw

Posted on By CWS

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its merchandise, together with critical-severity flaws.

The primary safety defect that stands out is CVE-2025-66516 (CVSS rating of 10/10), a critical-severity XML Exterior Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the common parser, the flaw was disclosed in early December.

It may be exploited by way of crafted XFA recordsdata positioned inside PDF recordsdata, probably resulting in info leaks, denial-of-service (DoS), SSRF assaults, or distant code execution (RCE).

Atlassian merchandise that use Tika embody Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration. The corporate has launched fixes for all six.

The record of critical-severity points that Atlassian resolved this month additionally consists of CVE-2022-37601 (CVSS rating of 9.8), a prototype air pollution vulnerability in webpack loader-utils, which is utilized in Confluence.

One other important prototype air pollution bug was patched in Jira and Jira Service Administration. Tracked as CVE-2021-39227 (CVSS rating of 9.8), it impacts the light-weight graphic library ZRender.

Atlassian’s contemporary spherical of fixes additionally resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype air pollution, improper authorization, info disclosure, improper enter validation, and RCE flaws.Commercial. Scroll to proceed studying.

Software program updates that repair these defects have been launched for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration information middle and server merchandise.

As a result of the weaknesses have been present in third-party dependencies, they affect all Atlassian merchandise that depend on them.

Customers are suggested to use the patches as quickly as potential. Extra info on the bugs and their fixes may be present in Atlassian’s December 2025 safety advisory.

Associated: Gladinet CentreStack Flaw Exploited to Hack Organizations

Associated: Latest GeoServer Vulnerability Exploited in Assaults

Associated: Notepad++ Patches Updater Flaw After Reviews of Visitors Hijacking

Associated: IBM Patches Over 100 Vulnerabilities

Security Week News Tags:, , , , ,

Related Posts

Approov Raises .7 Million for Mobile App Security Approov Raises $6.7 Million for Mobile App Security Security Week News
US Sanctions Philippine Company for Supporting Crypto Scams US Sanctions Philippine Company for Supporting Crypto Scams Security Week News
SonicWall Patches Exploited SMA 1000 Zero-Day SonicWall Patches Exploited SMA 1000 Zero-Day Security Week News
Zania Raises Million for AI-Powered GRC Platform Zania Raises $18 Million for AI-Powered GRC Platform Security Week News
Andrei Tarasov: Inside the Journey of a Russian Hacker on the FBI’s Most Wanted List Andrei Tarasov: Inside the Journey of a Russian Hacker on the FBI’s Most Wanted List Security Week News
M WhatsApp Hack Flops: Only Low-Risk Bugs Disclosed to Meta After Pwn2Own Withdrawal $1M WhatsApp Hack Flops: Only Low-Risk Bugs Disclosed to Meta After Pwn2Own Withdrawal Security Week News