Atlassian Addresses Critical Vulnerabilities in Key Software Products

Thu 17th Apr, 2025

Atlassian has released critical security updates for its software products including Bamboo, Confluence, and Jira, aimed at addressing high-risk vulnerabilities. IT administrators are urged to download and implement these updates promptly to safeguard their systems.

The April updates detail several vulnerabilities categorized as high risk. Notably, Bamboo contains a denial-of-service (DoS) vulnerability stemming from the third-party component Netplex Json-smart (CVE-2024-57699, CVSS 7.5). Similarly, Confluence is also susceptible to a DoS attack due to issues related to the 'io.netty' component (CVE-2025-24970, CVSS 7.5). Additionally, an XML External Entity Injection (XXE) vulnerability exists in the library 'org.codehaus.jackson:jackson-mapper-asl', which has been acknowledged since 2019 (CVE-2019-10172, CVSS 7.5).

Furthermore, Jira is affected by another XXE vulnerability (CVE-2021-33813, CVSS 7.7) and shares a DoS vulnerability with Bamboo, attributed to the 'net.minidev.json-smart' library (CVE-2024-57699, CVSS 7.5). Jira Service Management also exhibits a similar XXE vulnerability (CVE-2021-33813, CVSS 7.7) and is impacted by the same DoS issue.

Atlassian has provided specific versions to rectify these security flaws:

  • Bamboo Data Center and Server: 10.2.3 (LTS), 9.6.11, and 9.6.12 (LTS)
  • Confluence Data Center and Server: 9.4.0, 9.2.3 (LTS), and 8.5.21 (LTS)
  • Jira Data Center and Server: 10.5.1, 10.3.5 (LTS), and 9.12.22 (LTS)
  • Jira Service Management Data Center and Server: 10.5.1, 10.3.5 (LTS), and 5.12.22 (LTS)

In February, Atlassian had also issued updates addressing high-risk vulnerabilities that affected not only Bamboo but also Bitbucket and Jira. This consistent focus on security underscores the importance of timely software updates in mitigating potential threats.


More Quick Read Articles »