Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN871 _____________________________________________________________________ DATE : 17/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Confluence Data Center, Confluence Server versions prior to 9.2.12, 10.2.1, 8.5.30, 9.2.13, 9.4.0, 9.5.2, 10.1.0, 10.0.2, 10.2.2, 8.5.31. ===================================================================== https://jira.atlassian.com/browse/CONFSERVER-101788 https://jira.atlassian.com/browse/CONFSERVER-101574 https://jira.atlassian.com/browse/CONFSERVER-101489 https://jira.atlassian.com/browse/CONFSERVER-101478 https://jira.atlassian.com/browse/CONFSERVER-101573 https://jira.atlassian.com/browse/CONFSERVER-101575 _____________________________________________________________________ XXE (XML External Entity Injection) Tika Dependency Vulnerability in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: Low Fix Version/s: 9.2.12, 10.2.1, 8.5.30, 9.2.13, 10.2.2, 8.5.31 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.4.0, 9.3.1, 9.5.1, 10.1.0, 10.0.2, 10.2.0 Component/s: None Labels: None CVSS Score: 10 CVSS Severity: Critical CVE ID: CVE-2025-66516 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Confluence Data Center, Confluence Server Atlassian Update - 17 December 2025 Since publishing, we’ve released new fixed versions of Confluence: 8.5.31, 9.2.13 and 10.2.2. These versions contain patches for a transient dependency affected by CVE-2025-66516 that wasn’t initially detected by our third-party tooling. This Confluence release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation. The patch for CVE-2025-66516 is being released out of an abundance of caution. This Critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2025-66516 was introduced in 7.19 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 10 and a CVSS Vector of CVSS: 4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an unauthenticated attacker to perform actions which have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.30 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.12 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.1 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. _____________________________________________________________________ Prototype Pollution loader-utils Dependency Vulnerability in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: Low Fix Version/s: 9.2.1, 9.4.0, 9.5.1, 10.1.0, 10.0.2, 10.2.0 Affects Version/s: 9.0.1, 9.1.1, 9.2.0, 9.3.1 Component/s: None Labels: None CVSS Score: 9.8 CVSS Severity: Critical CVE ID: CVE-2022-37601 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: Prototype Pollution Affected Product(s): Confluence Data Center, Confluence Server This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Prototype Pollution vulnerability known as CVE-2022-37601 was introduced in 9.0 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 9.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to perform actions which have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.1 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.0 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ SSRF (Server-Side Request Forgery) in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.4.0, 9.3.1, 8.5.20, 9.2.6, 9.5.2, 10.1.0, 10.0.2, 10.2.0 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.5, 9.5.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.1 CVSS Severity: High CVE ID: CVE-2024-29415 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: SSRF (Server-Side Request Forgery) Affected Product(s): Confluence Data Center, Confluence Server This High severity SSRF (Server-Side Request Forgery) vulnerability known as CVE-2024-29415 was introduced in 7.19 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 8.1 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to perform actions as a higher-privileged user which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.20 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.6 Confluence Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.2 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.0 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ File Inclusion tar-fs Dependency in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.5.10, 9.3.1, 9.2.5, 9.5.1, 10.1.0, 10.0.2, 10.2.0 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.4.0, 9.2.3 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2024-12905 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Vulnerability Classes: File Inclusion Affected Product(s): Confluence Data Center, Confluence Server This High severity File Inclusion vulnerability known as CVE-2024-12905 was introduced in 7.19 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.10 Confluence Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.5 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.0 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: Low Fix Version/s: 9.2.1, 9.4.0, 9.5.1, 10.1.0, 10.0.2, 10.2.0 Affects Version/s: 9.0.1, 9.1.1, 9.2.0, 9.3.1 Component/s: None Labels: None CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-37599 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Confluence Data Center, Confluence Server This High severity DoS (Denial of Service) vulnerability known as CVE-2022-37599 was introduced in 9.0 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to perform actions that have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.1 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.0 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: Low Fix Version/s: 9.2.1, 9.4.0, 9.5.1, 10.1.0, 10.0.2, 10.2.0 Affects Version/s: 9.0.1, 9.1.1, 9.2.0, 9.3.1 Component/s: None Labels: None CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-37603 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Confluence Data Center, Confluence Server This High severity DoS (Denial of Service) vulnerability known as CVE-2022-37603 was introduced in 9.0 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to perform actions which have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.1 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.0 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================