Atlassian Addresses Critical Vulnerabilities in Key Software Products

Atlassian has released critical security updates for its software products including Bamboo, Confluence, and Jira, aimed at addressing high-risk vulnerabilities. IT administrators are urged to download and implement these updates promptly to safeguard their systems.

The April updates detail several vulnerabilities categorized as high risk. Notably, Bamboo contains a denial-of-service (DoS) vulnerability stemming from the third-party component Netplex Json-smart (CVE-2024-57699, CVSS 7.5). Similarly, Confluence is also susceptible to a DoS attack due to issues related to the 'io.netty' component (CVE-2025-24970, CVSS 7.5). Additionally, an XML External Entity Injection (XXE) vulnerability exists in the library 'org.codehaus.jackson:jackson-mapper-asl', which has been acknowledged since 2019 (CVE-2019-10172, CVSS 7.5).

Furthermore, Jira is affected by another XXE vulnerability (CVE-2021-33813, CVSS 7.7) and shares a DoS vulnerability with Bamboo, attributed to the 'net.minidev.json-smart' library (CVE-2024-57699, CVSS 7.5). Jira Service Management also exhibits a similar XXE vulnerability (CVE-2021-33813, CVSS 7.7) and is impacted by the same DoS issue.

Atlassian has provided specific versions to rectify these security flaws:

• Bamboo Data Center and Server: 10.2.3 (LTS), 9.6.11, and 9.6.12 (LTS)
• Confluence Data Center and Server: 9.4.0, 9.2.3 (LTS), and 8.5.21 (LTS)
• Jira Data Center and Server: 10.5.1, 10.3.5 (LTS), and 9.12.22 (LTS)
• Jira Service Management Data Center and Server: 10.5.1, 10.3.5 (LTS), and 5.12.22 (LTS)

In February, Atlassian had also issued updates addressing high-risk vulnerabilities that affected not only Bamboo but also Bitbucket and Jira. This consistent focus on security underscores the importance of timely software updates in mitigating potential threats.