Published On: Nov 26, 2025 09:28
Advisory No: TZCERT-SA-25-0119
Source: Atlassian
Software Affected: Bitbucket Data Center and Server, Confluence Data Center and Server
Atlassian products are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.
Bitbucket Data Center and Server, Confluence Data Center and Server are affected by the vulnerabilities tracked as CVE-2024-38999, CVE-2016-1000027, CVE-2023-42282, and CVE-2023-45133 with CVSS scores of 10, 9.8, and 9.3. The products are vulnerable due to a prototype pollution via the function s.contexts._.configure, Java deserialization of untrusted data, improperly categorizing some IP addresses as globally routable via isPublic, and when using specific plugins that rely on the path.evaluate() or path.evaluateTruthy() internal Babel methods. These vulnerabilities allow a malicious actor to execute arbitrary code or cause a Denial of Service (DoS).
Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.
Atlassian has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
