Atlassian Patches Critical Apache Tika Flaw

Posted on By CWS

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its merchandise, together with critical-severity flaws.

The primary safety defect that stands out is CVE-2025-66516 (CVSS rating of 10/10), a critical-severity XML Exterior Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the common parser, the flaw was disclosed in early December.

It may be exploited by way of crafted XFA recordsdata positioned inside PDF recordsdata, probably resulting in info leaks, denial-of-service (DoS), SSRF assaults, or distant code execution (RCE).

Atlassian merchandise that use Tika embody Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration. The corporate has launched fixes for all six.

The record of critical-severity points that Atlassian resolved this month additionally consists of CVE-2022-37601 (CVSS rating of 9.8), a prototype air pollution vulnerability in webpack loader-utils, which is utilized in Confluence.

One other important prototype air pollution bug was patched in Jira and Jira Service Administration. Tracked as CVE-2021-39227 (CVSS rating of 9.8), it impacts the light-weight graphic library ZRender.

Atlassian’s contemporary spherical of fixes additionally resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype air pollution, improper authorization, info disclosure, improper enter validation, and RCE flaws.Commercial. Scroll to proceed studying.

Software program updates that repair these defects have been launched for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration information middle and server merchandise.

As a result of the weaknesses have been present in third-party dependencies, they affect all Atlassian merchandise that depend on them.

Customers are suggested to use the patches as quickly as potential. Extra info on the bugs and their fixes may be present in Atlassian’s December 2025 safety advisory.

Associated: Gladinet CentreStack Flaw Exploited to Hack Organizations

Associated: Latest GeoServer Vulnerability Exploited in Assaults

Associated: Notepad++ Patches Updater Flaw After Reviews of Visitors Hijacking

Associated: IBM Patches Over 100 Vulnerabilities

Security Week News Tags:, , , , ,

Related Posts

Google Launched Behind-the-Scenes Campaign Against California Privacy Legislation; It Passed Anyway Security Week News
Help Desk at Risk: Scattered Spider Shines Light on Overlook Threat Vector Security Week News
Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers Security Week News
PLoB: A Behavioral Fingerprinting Framework to Hunt for Malicious Logins Security Week News
Reflectiz Raises $22 Million for Website Security Solution Security Week News
RMPocalypse: New Attack Breaks AMD Confidential Computing Security Week News