Atlassian Patches Critical Apache Tika Flaw

Atlassian Patches Critical Apache Tika Flaw

Posted on By CWS

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its merchandise, together with critical-severity flaws.

The primary safety defect that stands out is CVE-2025-66516 (CVSS rating of 10/10), a critical-severity XML Exterior Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the common parser, the flaw was disclosed in early December.

It may be exploited by way of crafted XFA recordsdata positioned inside PDF recordsdata, probably resulting in info leaks, denial-of-service (DoS), SSRF assaults, or distant code execution (RCE).

Atlassian merchandise that use Tika embody Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration. The corporate has launched fixes for all six.

The record of critical-severity points that Atlassian resolved this month additionally consists of CVE-2022-37601 (CVSS rating of 9.8), a prototype air pollution vulnerability in webpack loader-utils, which is utilized in Confluence.

One other important prototype air pollution bug was patched in Jira and Jira Service Administration. Tracked as CVE-2021-39227 (CVSS rating of 9.8), it impacts the light-weight graphic library ZRender.

Atlassian’s contemporary spherical of fixes additionally resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype air pollution, improper authorization, info disclosure, improper enter validation, and RCE flaws.Commercial. Scroll to proceed studying.

Software program updates that repair these defects have been launched for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Administration information middle and server merchandise.

As a result of the weaknesses have been present in third-party dependencies, they affect all Atlassian merchandise that depend on them.

Customers are suggested to use the patches as quickly as potential. Extra info on the bugs and their fixes may be present in Atlassian’s December 2025 safety advisory.

Associated: Gladinet CentreStack Flaw Exploited to Hack Organizations

Associated: Latest GeoServer Vulnerability Exploited in Assaults

Associated: Notepad++ Patches Updater Flaw After Reviews of Visitors Hijacking

Associated: IBM Patches Over 100 Vulnerabilities

Security Week News Tags:, , , , ,

Related Posts

Hunters International Shuts Down, Offers Free Decryptors as It Morphs Into World Leaks Hunters International Shuts Down, Offers Free Decryptors as It Morphs Into World Leaks Security Week News
Ceasefire Unlikely to Halt Iran-Linked Cyber Threats Ceasefire Unlikely to Halt Iran-Linked Cyber Threats Security Week News
Virtual Event Today: Attack Surface Management Summit Virtual Event Today: Attack Surface Management Summit Security Week News
Security Firm Exposes Role of Beijing Research Institute in China’s Cyber Operations Security Firm Exposes Role of Beijing Research Institute in China’s Cyber Operations Security Week News
NASCAR Confirms Personal Information Stolen in Ransomware Attack NASCAR Confirms Personal Information Stolen in Ransomware Attack Security Week News
Siemens, Schneider, and Others Address ICS Vulnerabilities Siemens, Schneider, and Others Address ICS Vulnerabilities Security Week News