Vulnerability-Lookup

CVE-2025-66516 (GCVE-0-2025-66516)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:17 – Updated: 2026-01-15 04:56

Title

Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected

Summary

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Severity ?

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/s5x3k93nhbkqzztp1…	vendor-advisory
	https://cve.org/CVERecord?id=CVE-2025-54988	related

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache Tika core

Affected: 1.13 , ≤ 3.2.1 (semver)

	Apache Software Foundation	Apache Tika parsers	Affected: 1.13 , < 2.0.0 (semver)
	Apache Software Foundation	Apache Tika PDF parser module	Affected: 2.0.0 , ≤ 3.2.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66516",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-15T04:56:01.082Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-core",
          "product": "Apache Tika core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "1.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-parsers",
          "product": "Apache Tika parsers",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "1.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.tika:tika-parser-pdf-module",
          "product": "Apache Tika PDF parser module",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \u003cbr\u003e\u003cbr\u003eThis CVE covers the same vulnerability as in\u0026nbsp;CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \u003cbr\u003e\u003cbr\u003eFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u0026gt;= 3.2.2 would still be vulnerable. \u003cbr\u003e\u003cbr\u003eSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module."
            }
          ],
          "value": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \n\nThis CVE covers the same vulnerability as in\u00a0CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \n\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u003e= 3.2.2 would still be vulnerable. \n\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T16:12:37.859Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cve.org/CVERecord?id=CVE-2025-54988"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-66516",
    "datePublished": "2025-12-04T16:17:24.980Z",
    "dateReserved": "2025-12-03T23:11:17.441Z",
    "dateUpdated": "2026-01-15T04:56:01.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66516\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-05T18:26:33.915381Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-05T18:26:41.700Z\"}}], \"cna\": {\"title\": \"Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"critical\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tika core\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.2.1\"}], \"packageName\": \"org.apache.tika:tika-core\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tika parsers\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.13\", \"lessThan\": \"2.0.0\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.tika:tika-parsers\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tika PDF parser module\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.2.1\"}], \"packageName\": \"org.apache.tika:tika-parser-pdf-module\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://cve.org/CVERecord?id=CVE-2025-54988\", \"tags\": [\"related\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \\n\\nThis CVE covers the same vulnerability as in\\u00a0CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \\n\\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u003e= 3.2.2 would still be vulnerable. \\n\\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \\\"org.apache.tika:tika-parsers\\\" module.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \u003cbr\u003e\u003cbr\u003eThis CVE covers the same vulnerability as in\u0026nbsp;CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \u003cbr\u003e\u003cbr\u003eFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u0026gt;= 3.2.2 would still be vulnerable. \u003cbr\u003e\u003cbr\u003eSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \\\"org.apache.tika:tika-parsers\\\" module.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-12-30T16:12:37.859Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66516\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-15T04:56:01.082Z\", \"dateReserved\": \"2025-12-03T23:11:17.441Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-12-04T16:17:24.980Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-66516

Vulnerability from fkie_nvd - Published: 2025-12-04 17:15 - Updated: 2025-12-30 16:15

Severity ?

8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@apache.org	https://cve.org/CVERecord?id=CVE-2025-54988	Third Party Advisory
	security@apache.org	https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k	Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	tika	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "06E31452-81F9-4B50-A6E1-EE8FE3E148BD",
              "versionEndExcluding": "3.2.2",
              "versionStartIncluding": "1.13",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \n\nThis CVE covers the same vulnerability as in\u00a0CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \n\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u003e= 3.2.2 would still be vulnerable. \n\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module."
    }
  ],
  "id": "CVE-2025-66516",
  "lastModified": "2025-12-30T16:15:46.230",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.9,
        "source": "security@apache.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-12-04T17:15:57.120",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://cve.org/CVERecord?id=CVE-2025-54988"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

CERTFR-2026-AVI-0065

Vulnerability from certfr_avis - Published: 2026-01-21 - Updated: 2026-01-21

De multiples vulnérabilités ont été découvertes dans les produits Atlassian. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Atlassian	Jira	Jira Software Server versions 11.3.x antérieures à 11.3.0
Atlassian	Confluence	Confluence Server versions antérieures à 8.5.31
Atlassian	Jira	Jira Service Management Data Center versions antérieures à 5.12.29
Atlassian	Jira	Jira Service Management Server versions 11.x antérieures à 11.2.1
Atlassian	Jira	Jira Service Management Data Center versions 11.x antérieures à 11.2.1
Atlassian	Jira	Jira Software Data Center versions 11.2.x antérieures à 11.2.1
Atlassian	Jira	Jira Software Server versions 11.2.x antérieures à 11.2.1
Atlassian	Jira	Jira Software Data Center versions 10.x antérieures à 10.3.16
Atlassian	Jira	Jira Service Management Server versions 10.x antérieures à 10.3.16
Atlassian	Jira	Jira Service Management Server versions 11.3.x antérieures à 11.3.0
Atlassian	Confluence	Confluence Server versions 9.x antérieures à 9.2.13
Atlassian	Confluence	Confluence Data Center versions 10.x antérieures à 10.2.2
Atlassian	Jira	Jira Software Data Center versions antérieures à 9.12.26
Atlassian	Jira	Jira Service Management Data Center versions 11.3.x antérieures à 11.3.1
Atlassian	Confluence	Confluence Data Center versions antérieures à 8.5.31
Atlassian	Jira	Jira Software Server versions antérieures à 9.12.26
Atlassian	Confluence	Confluence Data Center versions 9.x antérieures à 9.2.13
Atlassian	Jira	Jira Service Management Data Center versions 10.x antérieures à 10.3.16
Atlassian	Jira	Jira Software Server versions 10.x antérieures à 10.3.16
Atlassian	Jira	Jira Service Management Server versions antérieures à 5.12.29
Atlassian	Jira	Jira Software Data Center versions 11.3.x antérieures à 11.3.0

References

Title

Publication Time

Tags

Bulletin de sécurité Atlassian JSWSERVER-26667	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16497	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16496	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101827	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26665	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16485	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26661	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16491	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101878	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16501	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26663	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16503	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26662	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16459	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26654	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26656	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101872	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16502	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101842	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16499	2026-01-20	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16465	2026-01-20	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Jira Software Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Server versions ant\u00e9rieures \u00e0 8.5.31",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Data Center versions ant\u00e9rieures \u00e0 5.12.29",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Server versions 11.x ant\u00e9rieures \u00e0 11.2.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Data Center versions 11.x ant\u00e9rieures \u00e0 11.2.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Data Center versions 11.2.x ant\u00e9rieures \u00e0 11.2.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Server versions 11.2.x ant\u00e9rieures \u00e0 11.2.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Data Center versions 10.x ant\u00e9rieures \u00e0 10.3.16",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Server versions 10.x ant\u00e9rieures \u00e0 10.3.16",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Server versions 9.x ant\u00e9rieures \u00e0 9.2.13",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center versions 10.x ant\u00e9rieures \u00e0 10.2.2",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.12.26",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Data Center versions 11.3.x ant\u00e9rieures \u00e0 11.3.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center versions ant\u00e9rieures \u00e0 8.5.31",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Server versions ant\u00e9rieures \u00e0 9.12.26",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center versions 9.x ant\u00e9rieures \u00e0 9.2.13",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Data Center versions 10.x ant\u00e9rieures \u00e0 10.3.16",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Server versions 10.x ant\u00e9rieures \u00e0 10.3.16",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Server versions ant\u00e9rieures \u00e0 5.12.29",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Data Center versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-9287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
    },
    {
      "name": "CVE-2025-49146",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
    },
    {
      "name": "CVE-2022-25883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
    },
    {
      "name": "CVE-2025-66516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66516"
    },
    {
      "name": "CVE-2025-15284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
    },
    {
      "name": "CVE-2024-21538",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
    },
    {
      "name": "CVE-2024-45296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
    },
    {
      "name": "CVE-2021-3807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
    },
    {
      "name": "CVE-2024-45801",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
    },
    {
      "name": "CVE-2022-45693",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
    },
    {
      "name": "CVE-2025-54988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54988"
    },
    {
      "name": "CVE-2025-9288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
    },
    {
      "name": "CVE-2025-52434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
    },
    {
      "name": "CVE-2025-53689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53689"
    }
  ],
  "initial_release_date": "2026-01-21T00:00:00",
  "last_revision_date": "2026-01-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0065",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-01-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Atlassian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Atlassian",
  "vendor_advisories": [
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26667",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26667"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16497",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16497"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16496",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16496"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101827",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101827"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26665",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26665"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16485",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16485"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26661",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26661"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16491",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16491"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101878",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101878"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16501",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16501"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26663",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26663"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16503",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16503"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26662",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26662"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16459",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16459"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26654",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26654"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26656",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26656"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101872",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101872"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16502",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16502"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101842",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101842"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16499",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16499"
    },
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16465",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16465"
    }
  ]
}

CERTFR-2025-AVI-1100

Vulnerability from certfr_avis - Published: 2025-12-12 - Updated: 2025-12-12

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Atlassian	Jira	Jira Software Data Center et Server versions 9.12.x antérieures à 9.12.30
Atlassian	Jira	Jira Software Data Center et Server versions 10.3.x antérieures à 10.3.15
Atlassian	Confluence	Confluence Data Center et Server versions 9.5.x antérieures à 9.5.2
Atlassian	Jira	Jira Service Management Data Center et Server versions 11.x antérieures à 11.2.1
Atlassian	Confluence	Confluence Data Center et Server versions 10.0.x antérieures à 10.0.2
Atlassian	Confluence	Confluence Data Center et Server versions 8.5.x antérieures à 8.5.30
Atlassian	Confluence	Confluence Data Center et Server versions 10.1.x antérieures à 10.1.0
Atlassian	Confluence	Confluence Data Center et Server versions 9.2.x antérieures à 9.2.12
Atlassian	Confluence	Confluence Data Center et Server versions 9.3.x antérieures à 9.3.1
Atlassian	Confluence	Confluence Data Center et Server versions 9.4.x antérieures à 9.4.0
Atlassian	Jira	Jira Service Management Data Center et Server versions 10.3.x antérieures à 10.3.15
Atlassian	Jira	Jira Software Data Center et Server versions 11.x antérieures à 11.2.1
Atlassian	Confluence	Confluence Data Center et Server versions 10.2.x antérieures à 10.2.1

References

Title

Publication Time

Tags

Bulletin de sécurité Atlassian JSDSERVER-16469	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26599	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101574	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26636	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26600	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16461	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16478	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26614	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16458	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26630	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26627	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26634	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16466	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101788	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101478	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101573	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16477	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26635	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16470	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26629	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16479	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26625	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26626	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101575	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16462	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian CONFSERVER-101489	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26619	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16456	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26615	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26628	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSDSERVER-16480	2025-12-11	vendor-advisory
Bulletin de sécurité Atlassian JSWSERVER-26620	2025-12-11	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Jira Software Data Center et Server versions 9.12.x ant\u00e9rieures \u00e0 9.12.30",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Data Center et Server versions 10.3.x ant\u00e9rieures \u00e0 10.3.15",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 9.5.x ant\u00e9rieures \u00e0 9.5.2",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Data Center et Server versions 11.x ant\u00e9rieures \u00e0 11.2.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 10.0.x ant\u00e9rieures \u00e0 10.0.2",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 8.5.x ant\u00e9rieures \u00e0 8.5.30",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 10.1.x ant\u00e9rieures \u00e0 10.1.0",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 9.2.x ant\u00e9rieures \u00e0 9.2.12",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 9.3.x ant\u00e9rieures \u00e0 9.3.1",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 9.4.x ant\u00e9rieures \u00e0 9.4.0",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Service Management Data Center et Server versions 10.3.x ant\u00e9rieures \u00e0 10.3.15",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Jira Software Data Center et Server versions 11.x ant\u00e9rieures \u00e0 11.2.1",
      "product": {
        "name": "Jira",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    },
    {
      "description": "Confluence Data Center et Server versions 10.2.x ant\u00e9rieures \u00e0 10.2.1",
      "product": {
        "name": "Confluence",
        "vendor": {
          "name": "Atlassian",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2021-39227",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39227"
    },
    {
      "name": "CVE-2022-37603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
    },
    {
      "name": "CVE-2025-66516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66516"
    },
    {
      "name": "CVE-2024-29415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29415"
    },
    {
      "name": "CVE-2025-41248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41248"
    },
    {
      "name": "CVE-2025-27152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
    },
    {
      "name": "CVE-2024-21634",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21634"
    },
    {
      "name": "CVE-2022-37601",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
    },
    {
      "name": "CVE-2025-48976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
    },
    {
      "name": "CVE-2022-45693",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
    },
    {
      "name": "CVE-2016-1181",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1181"
    },
    {
      "name": "CVE-2025-54988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54988"
    },
    {
      "name": "CVE-2025-55163",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
    },
    {
      "name": "CVE-2023-49735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49735"
    },
    {
      "name": "CVE-2022-3517",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
    },
    {
      "name": "CVE-2024-12905",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12905"
    },
    {
      "name": "CVE-2020-8203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
    },
    {
      "name": "CVE-2022-37599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
    },
    {
      "name": "CVE-2025-58754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58754"
    },
    {
      "name": "CVE-2016-1182",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1182"
    }
  ],
  "initial_release_date": "2025-12-12T00:00:00",
  "last_revision_date": "2025-12-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1100",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-12-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Atlassian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Atlassian",
  "vendor_advisories": [
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16469",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16469"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26599",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26599"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101574",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101574"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26636",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26636"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26600",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26600"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16461",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16461"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16478",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16478"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26614",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26614"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16458",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16458"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26630",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26630"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26627",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26627"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26634",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26634"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16466",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16466"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101788",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101788"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101478",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101478"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101573",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101573"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16477",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16477"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26635",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26635"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16470",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16470"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26629",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26629"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16479",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16479"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26625",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26625"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26626",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26626"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101575",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101575"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16462",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16462"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101489",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-101489"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26619",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26619"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16456",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16456"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26615",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26615"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26628",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26628"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16480",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-16480"
    },
    {
      "published_at": "2025-12-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26620",
      "url": "https://jira.atlassian.com/browse/JSWSERVER-26620"
    }
  ]
}

CERTFR-2026-AVI-0071

Vulnerability from certfr_avis - Published: 2026-01-21 - Updated: 2026-01-21

De multiples vulnérabilités ont été découvertes dans Oracle PeopleSoft. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Oracle	PeopleSoft	PeopleSoft Enterprise HCM Human Resources version 9.2
Oracle	PeopleSoft	PeopleSoft Enterprise PeopleTools versions 8.60 à 8.62
Oracle	PeopleSoft	PeopleSoft Enterprise SCM Purchasing version 9.2

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle PeopleSoft cpujan2026

2026-01-20

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "PeopleSoft Enterprise HCM Human Resources version 9.2",
      "product": {
        "name": "PeopleSoft",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PeopleSoft Enterprise PeopleTools versions 8.60 \u00e0 8.62",
      "product": {
        "name": "PeopleSoft",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "PeopleSoft Enterprise SCM Purchasing version 9.2",
      "product": {
        "name": "PeopleSoft",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-9231",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9231"
    },
    {
      "name": "CVE-2025-10148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-10148"
    },
    {
      "name": "CVE-2026-21961",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21961"
    },
    {
      "name": "CVE-2025-66516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66516"
    },
    {
      "name": "CVE-2025-27209",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27209"
    },
    {
      "name": "CVE-2026-21971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21971"
    },
    {
      "name": "CVE-2025-27210",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27210"
    },
    {
      "name": "CVE-2025-6965",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
    },
    {
      "name": "CVE-2026-21938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21938"
    },
    {
      "name": "CVE-2026-21934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21934"
    },
    {
      "name": "CVE-2025-9232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9232"
    },
    {
      "name": "CVE-2025-54988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54988"
    },
    {
      "name": "CVE-2025-55163",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
    },
    {
      "name": "CVE-2025-9086",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9086"
    },
    {
      "name": "CVE-2026-21951",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21951"
    },
    {
      "name": "CVE-2025-9230",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
    },
    {
      "name": "CVE-2025-48924",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
    },
    {
      "name": "CVE-2025-23084",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23084"
    }
  ],
  "initial_release_date": "2026-01-21T00:00:00",
  "last_revision_date": "2026-01-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0071",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-01-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle PeopleSoft. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle PeopleSoft",
  "vendor_advisories": [
    {
      "published_at": "2026-01-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle PeopleSoft cpujan2026",
      "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
    }
  ]
}

CVE-2025-66516

Vulnerability from fstec - Published: 04.12.2025

Title

Уязвимость модулей tika-core, tika-pdf-module и tika-parsers среды обнаружения и анализа контента Apache Tika, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость модулей tika-core, tika-pdf-module и tika-parsers среды обнаружения и анализа контента Apache Tika связана с неверным ограничением XML-ссылок на внешние объекты. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код путем внедрения специально сформированного XFA-шаблона

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor

Apache Software Foundation

Software Name

Tika Core, Tika Parsers, Tika PDF

Software Version

от 1.13 до 3.2.1 включительно (Tika Core), от 1.13 до 2.0.0 (Tika Parsers), от 2.0.0 до 3.2.1 включительно (Tika PDF)

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - ограничение возможности открытия файлов, полученных из недоверенных источников; - использование антивирусного программного обеспечения для проверки файлов, полученных из недоверенных источников; - использование замкнутой программной среды для работы с файлами, полученными из недоверенных источников; - использование средств межсетевого экранирования для ограничения доступа к уязвимому программному обеспечению; - ограничение доступа к уязвимому программному обеспечению, используя схему доступа по «белым спискам»; - использование систем обнаружения и предотвращения вторжений для обнаружения (выявления, регистрации) и реагирования на попытки эксплуатации уязвимостей; - ограничение доступа из внешних сетей (Интернет). Использование рекомендаций производителя: https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Reference

https://github.com/Ashwesker/Blackash-CVE-2025-66516 https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

CWE

CWE-611

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Apache Software Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 1.13 \u0434\u043e 3.2.1 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Tika Core), \u043e\u0442 1.13 \u0434\u043e 2.0.0 (Tika Parsers), \u043e\u0442 2.0.0 \u0434\u043e 3.2.1 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Tika PDF)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u0438\u044f \u0444\u0430\u0439\u043b\u043e\u0432, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0430\u043d\u0442\u0438\u0432\u0438\u0440\u0443\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0444\u0430\u0439\u043b\u043e\u0432, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0437\u0430\u043c\u043a\u043d\u0443\u0442\u043e\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u044b \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0444\u0430\u0439\u043b\u0430\u043c\u0438, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u043c\u0438 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u0445\u0435\u043c\u0443 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043f\u043e \u00ab\u0431\u0435\u043b\u044b\u043c \u0441\u043f\u0438\u0441\u043a\u0430\u043c\u00bb;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f (\u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f, \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438) \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438\u0437 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442).\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "04.12.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "15.12.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "15.12.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-15736",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-66516",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Tika Core, Tika Parsers, Tika PDF",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u0435\u0439 tika-core, tika-pdf-module \u0438 tika-parsers \u0441\u0440\u0435\u0434\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u0430\u043d\u0430\u043b\u0438\u0437\u0430 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430 Apache Tika, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b (CWE-611)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u0435\u0439 tika-core, tika-pdf-module \u0438 tika-parsers \u0441\u0440\u0435\u0434\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u0430\u043d\u0430\u043b\u0438\u0437\u0430 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430 Apache Tika \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0435\u043c \u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u044f \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e XFA-\u0448\u0430\u0431\u043b\u043e\u043d\u0430",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/Ashwesker/Blackash-CVE-2025-66516\nhttps://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-611",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)"
}

GHSA-F58C-GQ56-VJJF

Vulnerability from github – Published: 2025-12-04 18:30 – Updated: 2025-12-05 02:26

Summary

Apache Tika has XXE vulnerability

Details

This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.

First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.

Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Severity ?

10.0 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-parsers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-parser-pdf-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-05T02:24:30Z",
    "nvd_published_at": "2025-12-04T17:15:57Z",
    "severity": "CRITICAL"
  },
  "details": "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. \n\nThis CVE covers the same vulnerability as in\u00a0CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. \n\nFirst, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to \u003e= 3.2.2 would still be vulnerable. \n\nSecond, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the \"org.apache.tika:tika-parsers\" module.",
  "id": "GHSA-f58c-gq56-vjjf",
  "modified": "2025-12-05T02:26:56Z",
  "published": "2025-12-04T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66516"
    },
    {
      "type": "WEB",
      "url": "https://cve.org/CVERecord?id=CVE-2025-54988"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tika"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Tika has XXE vulnerability"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-66516 (GCVE-0-2025-66516)

FKIE_CVE-2025-66516

CERTFR-2026-AVI-0065

Solutions

CERTFR-2025-AVI-1100

Solutions

CERTFR-2026-AVI-0071

Solutions

CVE-2025-66516

GHSA-F58C-GQ56-VJJF

Tags

Sightings

Nomenclature