Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN872 _____________________________________________________________________ DATE : 18/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jira Software Data Center, Jira Software Server versions prior to 9.12.30, 10.3.15, 11.1.0, 11.2.1, 11.3.0. ===================================================================== https://jira.atlassian.com/browse/JSWSERVER-26630 https://jira.atlassian.com/browse/JSWSERVER-26625 https://jira.atlassian.com/browse/JSWSERVER-26614 https://jira.atlassian.com/browse/JSWSERVER-26636 https://jira.atlassian.com/browse/JSWSERVER-26599 https://jira.atlassian.com/browse/JSWSERVER-26635 https://jira.atlassian.com/browse/JSWSERVER-26629 https://jira.atlassian.com/browse/JSWSERVER-26615 https://jira.atlassian.com/browse/JSWSERVER-26627 https://jira.atlassian.com/browse/JSWSERVER-26628 https://jira.atlassian.com/browse/JSWSERVER-26626 https://jira.atlassian.com/browse/JSWSERVER-26620 https://jira.atlassian.com/browse/JSWSERVER-26634 https://jira.atlassian.com/browse/JSWSERVER-26600 https://jira.atlassian.com/browse/JSWSERVER-26619 _____________________________________________________________________ XXE (XML External Entity Injection) Tika Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.12.29, 10.3.15, 11.2.0, 11.3.0 Affects Version/s: 9.12.0, 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.10, 9.12.11, 9.12.12, 9.12.13, 9.12.14, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.20, 9.12.21, 9.12.22, 9.12.23, 9.12.24, 9.12.25, 9.12.26, 9.12.27, 9.12.28, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 10.3.12, 10.3.13, 10.3.14, 11.0.0, 11.1.0, 11.0.1, 11.1.1 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 10 CVSS Severity: Critical CVE ID: CVE-2025-66516 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Jira Software Data Center, Jira Software Server This Jira Software release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation. The patch for CVE-2025-66516 is being released out of an abundance of caution. This Critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2025-66516 was introduced in 9.12.28 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 10 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an unauthenticated attacker to take actions which have high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.29 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.15 Jira Software Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. ____________________________________________________________________ Prototype Pollution zrender Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.14, 11.3.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 10.3.12, 10.3.13, 11.0.0, 11.1.0, 11.0.1, 11.0.2, 11.1.1, 11.1.2, 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 9.8 CVSS Severity: Critical CVE ID: CVE-2021-39227 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: Prototype Pollution Affected Product(s): Jira Software Data Center, Jira Software Server This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Prototype Pollution vulnerability known as CVE-2021-39227 was introduced in 10.3.0, and 11.0.0 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 9.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to take actions which have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.14 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.3.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `{}proto{}` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts. _____________________________________________________________________ XXE (XML External Entity Injection) in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.12.30, 10.3.13, 11.2.0 Affects Version/s: 9.12.27, 9.12.28, 10.3.10, 10.3.11, 10.3.12, 11.0.1, 11.1.1 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 8.4 CVSS Severity: High CVE ID: CVE-2025-54988 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity XXE (XML External Entity Injection) vulnerability was introduced in versions 9.12.27, 10.3.10, 11.0.1, and 11.1.1 of Jira Software Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 8.4 and a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to access local and remote content which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.30 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.13 Jira Software Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.0 See the release notes (https://www.atlassian.com/software/jira/download-archives). You can download the latest version of Jira Software Data Center and Server from the download center (https://www.atlassian.com/software/jira/download-archives). The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue. _____________________________________________________________________ DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.1 Affects Version/s: 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.2 CVSS Severity: High CVE ID: CVE-2016-1182 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2016-1182 was introduced in 11.2.0 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. _____________________________________________________________________ DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.12.28 Affects Version/s: 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.10, 9.12.11, 9.12.12, 9.12.13, 9.12.14, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.22, 9.12.23, 9.12.24, 9.12.25, 9.12.26, 9.12.27 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 8.2 CVSS Severity: High CVE ID: CVE-2025-55163 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2025-55163 was introduced in 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.10, 9.12.11, 9.12.12, 9.12.13, 9.12.14, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.22, 9.12.23, 9.12.24, 9.12.25, 9.12.26, and 9.12.27 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final. _____________________________________________________________________ DoS (Denial of Service) loader-utils Dependency Vulnerability in Confluence Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: Low Fix Version/s: 9.2.1, 9.4.0, 9.5.1, 10.1.0, 10.0.2, 10.2.0 Affects Version/s: 9.0.1, 9.1.1, 9.2.0, 9.3.1 Component/s: None Labels: None CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-37603 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Confluence Data Center, Confluence Server This High severity DoS (Denial of Service) vulnerability known as CVE-2022-37603 was introduced in 9.0 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to perform actions which have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.1 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.0 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ RCE (Remote Code Execution) in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.1, 11.3.0 Affects Version/s: 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.1 CVSS Severity: High CVE ID: CVE-2016-1181 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: RCE (Remote Code Execution) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity RCE (Remote Code Execution) vulnerability was introduced in version 11.2.0 of Jira Software Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. _____________________________________________________________________ SSRF (Server Side Request Forgery) axios Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.13 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.10, 10.3.11 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 7.7 CVSS Severity: High CVE ID: CVE-2025-27152 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity SSRF (Server Side Request Forgery) vulnerability known as CVE-2025-27152 was introduced in 10.3.0 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E allows an unauthenticated attacker to take actions which have high impact to confidentiality, no impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.13 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2. _____________________________________________________________________ Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.0 Affects Version/s: 11.0.1, 11.1.1 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2025-41248 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerability Classes: Improper Authorization Affected Product(s): Jira Software Data Center, Jira Software Server This High severity Improper Authorization vulnerability was introduced in versions 11.01.1 and 11.1.1 of Jira Software Data Center and Server. This vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.2.0 See the release notes (https://www.atlassian.com/software/jira/download-archives). You can download the latest version of Jira Software Data Center and Server from the download center (https://www.atlassian.com/software/jira/download-archives). The National Vulnerability Database provides the following description for this vulnerability: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249. _____________________________________________________________________ DoS (Denial of Service) commons-fileupload:commons-fileupload Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.12.29 Affects Version/s: 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.10, 9.12.11, 9.12.12, 9.12.13, 9.12.14, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.20, 9.12.21, 9.12.22, 9.12.23, 9.12.24, 9.12.25 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2025-48976 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2025-48976 was introduced in 9.12.1 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.29 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. _____________________________________________________________________ DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.12.6 Affects Version/s: 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2024-21634 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2024-21634 was introduced in 9.12.1 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.6 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with. _____________________________________________________________________ DoS (Denial of Service) minimatch Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.14 Affects Version/s: 10.3.13 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-3517 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2022-3517 was introduced in 10.3.13 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.14 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. _____________________________________________________________________ DoS (Denial of Service) axios Dependency in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.13, 11.2.1, 11.3.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.10, 10.3.11, 10.3.12, 11.0.0, 11.1.0, 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2025-58754 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2025-58754 was introduced in 10.3.0, and 11.0.0 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.13 Jira Software Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue. _____________________________________________________________________ XXE (XML External Entity Injection) in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.1, 11.3.0 Affects Version/s: 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2023-49735 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 11.2.0 of Jira Software Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to access local and remote content which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. _____________________________________________________________________ DoS (Denial of Service) org.codehaus.jettison:jettison Dependency Vulnerability in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 9.12.29 Affects Version/s: 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.10, 9.12.11, 9.12.12, 9.12.13, 9.12.14, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.22, 9.12.23, 9.12.24, 9.12.25, 9.12.26, 9.12.27, 9.12.28 Component/s: Security Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-45693 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Software Data Center, Jira Software Server This High severity DoS (Denial of Service) vulnerability known as CVE-2022-4569 was introduced in 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.10, 9.12.11, 9.12.12, 9.12.13, 9.12.14, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.22, 9.12.23, 9.12.24, 9.12.25, 9.12.26, 9.12.27, and 9.12.28 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.29 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a craftedstring. _____________________________________________________________________ Prototype Pollution loadash.pick Dependency Vulnerability in Jira Software Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.12, 11.1.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 11.0.0, 11.0.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.4 CVSS Severity: High CVE ID: CVE-2020-8203 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Vulnerability Classes: Prototype Pollution Affected Product(s): Jira Software Data Center, Jira Software Server This High severity Prototype Pollution vulnerability known as CVE-2020-8203 was introduced in 10.3.0 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.4 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.13 Jira Software Data Center and Server 11.1: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================