Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN870
_____________________________________________________________________

DATE                : 17/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Bamboo Data Center and Server
                      versions prior to 9.6.20, 12.0.2, 10.2.12.

=====================================================================
https://jira.atlassian.com/browse/BAM-26272
_____________________________________________________________________

XXE (XML External Entity Injection) Tika Dependency Vulnerability in
Bamboo Data Center and Server

    Published

Export

    Type:    Public Security Vulnerability
    Resolution:    Fixed
    Priority:    High
    Fix Version/s:    9.6.20, 12.0.2, 10.2.12
    Affects Version/s:    9.6.19, 10.2.11, 12.0.1
    Component/s:    None
    Labels:        advisory advisory-to-release dont-import security 

    CVSS Score:
    10
    CVSS Severity:
    Critical
    CVE ID:
    CVE-2025-66516
    Vulnerability Source:
    Atlassian (Internal)
    CVSSv3 Vector:
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    Vulnerability Classes:
    XXE (XML External Entity Injection)	
    Affected Product(s):     Bamboo Data Center, Bamboo Server	

This Bamboo release includes updates to our Apache Tika dependency
in response to CVE-2025-66516.

Our security team has assessed that the current scope of this CVE
does not present the same critical risk in our products, as our
use of the dependency doesn’t support the known path for
exploitation.

The patch for CVE-2025-66516 is being released out of an abundance
of caution.

This Critical severity DoS (Denial of Service) vulnerability known
as CVE-2025-66516 was introduced in 9.6.19 of Bamboo Data Center
and Server.

This vulnerability with a CVSS Score of 10 and a CVSS Vector of
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
allows an unauthenticated attacker to take actions which have high
impact to confidentiality, high impact to integrity, high impact
to availability, and requires no user interaction.  

Atlassian recommends that Bamboo Data Center and Server customers
upgrade to latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:

    Bamboo Data Center and Server 9.6: Upgrade to a release
greater than or equal to 9.6.20
    Bamboo Data Center and Server 10.2: Upgrade to a release
greater than or equal to 10.2.12
    Bamboo Data Center and Server 12.0: Upgrade to a release
greater than or equal to 12.0.2

See the release notes. You can download the latest version of
Bamboo Data Center and Server from the download center.

The National Vulnerability Database provides the following
description for this vulnerability: Critical XXE in
Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1)
and tika-parsers (1.13-1.28.5) modules on all platforms
allows an attacker to carry out XML External Entity injection
via a crafted XFA file inside of a PDF. This CVE covers the
same vulnerability as in CVE-2025-54988. However, this CVE
expands the scope of affected packages in two ways. First,
while the entrypoint for the vulnerability was the
tika-parser-pdf-module as reported in CVE-2025-54988, the
vulnerability and its fix were in tika-core. Users who
upgraded the tika-parser-pdf-module but did not upgrade
tika-core to >= 3.2.2 would still be vulnerable. Second,
the original report failed to mention that in the 1.x Tika
releases, the PDFParser was in the
"org.apache.tika:tika-parsers" module.

_____________________________________________________________________

DoS (Denial of Service) org.apache.tomcat:tomcat-util Dependency
Vulnerability in Bamboo Data Center and Server

    Published

Export

    Type:    Public Security Vulnerability
    Resolution:    Fixed
    Priority:    High
    Fix Version/s:    9.6.16, 10.2.8
    Affects Version/s:    9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6,
9.6.7, 9.6.8, 10.2.0, 9.6.9, 9.6.10, 10.2.1, 10.2.2, 10.2.3, 9.6.11,
9.6.12, 10.2.4, 9.6.13, 9.6.14, 10.2.5, 10.2.6, 9.6.15, 10.2.7
    Component/s:    None
    Labels:        advisory advisory-to-release dont-import security 

    CVSS Score:    7.5
    CVSS Severity:    High
    CVE ID:    CVE-2025-52434
    Vulnerability Source:    Atlassian (Internal)
    CVSSv3 Vector:    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Vulnerability Classes:    DoS (Denial of Service)	
    Affected Product(s):    Bamboo Data Center, Bamboo Server	

This High severity DoS (Denial of Service) vulnerability known as
CVE-2025-52434 was introduced in 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5,
9.6.6, 9.6.7, 9.6.8, 10.2.0, 9.6.9, 9.6.10, 10.2.1, 10.2.2, 10.2.3,
9.6.11, 9.6.12, 10.2.4, 9.6.13, 9.6.14, 10.2.5, 10.2.6, 9.6.15,
10.2.7 of Bamboo Data Center and Server.

This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated
attacker to expose assets in your environment susceptible to
exploitation which has high impact to confidentiality, no impact to
integrity, no impact to availability, and requires no user
interaction. 

Atlassian recommends that Bamboo Data Center and Server customers
upgrade to latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:

    Bamboo Data Center and Server 9.6: Upgrade to a release greater
than or equal to 9.6.16

    Bamboo Data Center and Server 10.2: Upgrade to a release
greater than or equal to 10.2.8

See the release notes. You can download the latest version of
Bamboo Data Center and Server from the download center.

The National Vulnerability Database provides the following
description for this vulnerability: Concurrent Execution using
Shared Resource with Improper Synchronization ('Race Condition')
vulnerability in Apache Tomcat when using the APR/Native
connector. This was particularly noticeable with client initiated
closes of HTTP/2 connections. This issue affects Apache Tomcat:
from 9.0.0.M1 through 9.0.106. The following versions were EOL
at the time the CVE was created but are known to be affected:
8.5.0 through 8.5.100. Other, older, EOL versions may also be
affected. Users are recommended to upgrade to version 9.0.107,
which fixes the issue.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================