Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN873 _____________________________________________________________________ DATE : 18/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Crucible Server, Fisheye Server versions prior to 4.9.6. ===================================================================== https://jira.atlassian.com/browse/CRUC-8671 https://jira.atlassian.com/browse/CRUC-8670 _____________________________________________________________________ XXE (XML External Entity Injection) Tika Dependency Vulnerability in Crucible Server and Fisheye Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 4.9.6 Affects Version/s: 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.9, 4.8.10, 4.8.11, 4.8.12, 4.8.13, 4.9.0, 4.8.14, 4.8.15, 4.8.16 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 10 CVSS Severity: Critical CVE ID: CVE-2025-66516 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Crucible Server, Fisheye Server This Crucible Server and Fisheye Server release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation. The patch for CVE-2025-66516 is being released out of an abundance of caution.{} This Critical severity XXE (XML External Entity Injection) vulnerability was introduced in version 4.8.0 of Crucible Server and Fisheye Server. This vulnerability, with a CVSS Score of 10, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Crucible Server and Fisheye Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Crucible Server and Fisheye Server 4.9: Upgrade to a release greater than or equal to 4.9.6 See the release notes (https://confluence.atlassian.com/crucible/crucible-releases-298977378.html, https://confluence.atlassian.com/fisheye/fisheye-releases-960155725.html). You can download the latest version of Crucible Server and Fisheye Server from the download center (https://www.atlassian.com/software/crucible/download-archives, https://www.atlassian.com/software/fisheye/download-archives). The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. _____________________________________________________________________ Improper Input Validation in MSSQL JDBC driver in Crucible Server and Fisheye Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 4.9.5 Affects Version/s: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.1 CVSS Severity: High CVE ID: CVE-2025-59250 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Vulnerability Classes: Other Affected Product(s): Crucible Server, Fisheye Server This High severity Improper Input Validation in MSSQL driver vulnerability was introduced in version 4.9.0 of Crucible Server and Fisheye Server. This Improper Input Validation vulnerability, with a CVSS Score of 8.1, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Crucible Server and Fisheye Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Crucible Server and Fisheye Server 4.9: Upgrade to a release greater than or equal to 4.9.5 See the release notes (https://confluence.atlassian.com/crucible/crucible-releases-298977378.html, https://confluence.atlassian.com/fisheye/fisheye-releases-960155725.html). You can download the latest version of Crucible Server and Fisheye Server from the download center (https://www.atlassian.com/software/crucible/download-archives, https://www.atlassian.com/software/fisheye/download-archives). This vulnerability was reported via our Atlassian (Internal) program. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================