Atlassian Patches Critical Apache Tika Flaw

Posted on By CWS

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its merchandise, together with critical-severity flaws.

The primary safety defect that stands out is CVE-2025-66516 (CVSS rating of 10/10), a critical-severity XML Exterior Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the common parser, the flaw was disclosed in early December.

It may be exploited by way of crafted XFA recordsdata positioned inside PDF recordsdata, probably resulting in info leaks, denial-of-service (DoS), SSRF assaults, or distant code execution (RCE).

Atlassian merchandise that use Tika embody Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration. The corporate has launched fixes for all six.

The record of critical-severity points that Atlassian resolved this month additionally consists of CVE-2022-37601 (CVSS rating of 9.8), a prototype air pollution vulnerability in webpack loader-utils, which is utilized in Confluence.

One other important prototype air pollution bug was patched in Jira and Jira Service Administration. Tracked as CVE-2021-39227 (CVSS rating of 9.8), it impacts the light-weight graphic library ZRender.

Atlassian’s contemporary spherical of fixes additionally resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype air pollution, improper authorization, info disclosure, improper enter validation, and RCE flaws.Commercial. Scroll to proceed studying.

Software program updates that repair these defects have been launched for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration information middle and server merchandise.

As a result of the weaknesses have been present in third-party dependencies, they affect all Atlassian merchandise that depend on them.

Customers are suggested to use the patches as quickly as potential. Extra info on the bugs and their fixes may be present in Atlassian’s December 2025 safety advisory.

Associated: Gladinet CentreStack Flaw Exploited to Hack Organizations

Associated: Latest GeoServer Vulnerability Exploited in Assaults

Associated: Notepad++ Patches Updater Flaw After Reviews of Visitors Hijacking

Associated: IBM Patches Over 100 Vulnerabilities

Security Week News Tags:, , , , ,

Related Posts

Zafran Security Raises $60 Million in Series C Funding Security Week News
Asheville Eye Associates Says 147,000 Impacted by Data Breach Security Week News
How TTP-based Defenses Outperform Traditional IoC Hunting Security Week News
HoundBytes Launches Automated Security Analyst Security Week News
American Airlines Subsidiary Envoy Air Hit by Oracle Hack Security Week News
Orange Belgium Data Breach Impacts 850,000 Customers Security Week News