Security Bulletin - November 18 2025

セキュリティ アドバイザリーおよびセキュリティ情報

このページの内容

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

November 2025 Security Bulletin

The vulnerabilities reported in this Security Bulletin include 34 high-severity vulnerabilities and 5 critical-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program, pen-testing processes, and third-party library scans.

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of November 18, 2025 (date of publication); visit the linked product Release Notes for the most up-to-date versions.

NOTE: The vulnerabilities included in monthly Security Bulletins present a lower impact than those published via Critical Security Advisories. Customers can expect to receive those high-priority patches outside of our monthly schedule as necessary.

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

リリースされたセキュリティ脆弱性
Product & Release Notes影響を受けるバージョン修正対象バージョンVulnerability SummaryCVE IDCVSS Severity
Bitbucket Data Center および Server
  • 10.0.0 から 10.0.1
  • 9.6.0 から 9.6.5
  • 9.5.0 から 9.5.2
  • 9.4.0 to 9.4.11 (LTS)
  • 9.2.0 から 9.2.1
  • 9.1.0 から 9.1.1
  • 9.0.1
  • 8.19.0 to 8.19.24 (LTS)
  • 8.18.0 から 8.18.1
  • 8.17.0 から 8.17.2
  • 8.16.0 から 8.16.4
  • 8.15.2 から 8.15.5
  • 8.14.3 から 8.14.6
  • 8.13.4 から 8.13.6
  • 8.12.5 から 8.12.6
  • 8.9.8 to 8.9.27 (LTS)
  • 10.0.2 Data Center Only
  • 8.19.25 (LTS) Data Center Only
  • 9.4.12 or 9.4.13 (LTS) recommended Data Center Only

RCE (Remote Code Execution) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-38999

  • This is a vulnerability in a non-Atlassian Bitbucket dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.
CVE-2024-3899910 Critical

RCE (Remote Code Execution) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2016-1000027

  • This is a vulnerability in a non-Atlassian Bitbucket dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.
CVE-2016-10000279.8 Critical

SSRF (Server-Side Request Forgery) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2023-42282

  • This is a vulnerability in a non-Atlassian Bitbucket dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.
CVE-2023-422829.8 Critical

RCE (Remote Code Execution) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2023-45133

  • This is a vulnerability in a non-Atlassian Bitbucket dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.
CVE-2023-451339.3 Critical
Improper Authorization Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-48734CVE-2025-487348.8 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-55163CVE-2025-551638.2 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-25710CVE-2024-257108.1 High
SSRF (Server-Side Request Forgery) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-29415CVE-2024-294158.1 High
SSRF (Server-Side Request Forgery) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-22259CVE-2024-222598.1 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-21538CVE-2024-215387.7 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2023-52428CVE-2023-524287.5 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-45590CVE-2024-455907.5 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2021-3803CVE-2021-38037.5 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2022-31129CVE-2022-311297.5 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2021-3807CVE-2021-38077.5 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-4068CVE-2024-40687.5 High
Path Traversal Third-Party Dependency in Bitbucket Data Center and Server - CVE-2022-24785CVE-2022-247857.5 High
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2021-33587CVE-2021-335877.5 High
Improper Authorization Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-41248CVE-2025-412487.5 High
Cryptographic Failure Third-Party Dependency in Bitbucket Data Center and Server - CVE-2022-24772CVE-2022-247727.5 High
Path Traversal Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-38819CVE-2024-388197.5 High
Cryptographic Failure Third-Party Dependency in Bitbucket Data Center and Server - CVE-2022-24771CVE-2022-247717.5 High
Broken Authentication Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-22228CVE-2025-222287.4 High
Prototype Pollution Third-Party Dependency in Bitbucket Data Center and Server - CVE-2020-8203CVE-2020-82037.4 High
Prototype Pollution Third-Party Dependency in Bitbucket Data Center and Server - CVE-2020-28471CVE-2020-284717.3 High
Improper Authorization Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-22235CVE-2025-222357.3 High
Open Redirect Third-Party Dependency in Bitbucket Data Center and Server - CVE-2023-26159CVE-2023-261597.3 High
Command Injection Third-Party Dependency in Bitbucket Data Center and Server - CVE-2021-23337CVE-2021-233377.2 High
Prototype Pollution Third-Party Dependency in Bitbucket Data Center and Server - CVE-2022-46175CVE-2022-461757.1 High
Confluence Data Center および Server
  • 10.1.0
  • 9.5.1 から 9.5.3
  • 9.4.0 から 9.4.1
  • 9.3.1 から 9.3.2
  • 9.2.0 to 9.2.6 (LTS)
  • 9.1.0 から 9.1.1
  • 9.0.1 から 9.0.3
  • 8.9.0 から 8.9.8
  • 8.8.0 から 8.8.1
  • 8.7.1 から 8.7.2
  • 8.6.2
  • 8.5.0 to 8.5.24 (LTS)
  • 7.19.17 to 7.19.30 (LTS)
  • 10.1.1 Data Center Only
  • 10.0.2 to 10.0.3 Data Center Only
  • 9.2.7 to 9.2.10 (LTS) recommended Data Center Only
  • 8.5.25 to 8.5.28 (LTS) Data Center Only

SSRF (Server-Side Request Forgery) Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282

  • This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.
CVE-2023-422829.8 Critical
Path Traversal Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282CVE-2025-483878.7 High
DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2025-22166CVE-2025-221668.3 High
DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2024-37890CVE-2024-378907.5 High
DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282CVE-2022-389007.5 High
Improper Authorization Third-Party Dependency in Confluence Data Center and Server - CVE-2025-41248CVE-2025-412487.5 High
DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2024-45296CVE-2024-452967.5 High
Prototype Pollution Third-Party Dependency in Confluence Data Center and Server - CVE-2022-46175CVE-2022-461757.1 High
Jira Data Center および Server
  • 11.1.0 から 11.1.1
  • 11.0.0 から 11.0.1
  • 10.7.1 から 10.7.2
  • 10.6.0 から 10.6.1
  • 10.5.0 から 10.5.1
  • 10.4.0 から 10.4.1
  • 10.3.0 to 10.3.9 (LTS)
  • 10.2.0 から 10.2.1
  • 10.1.1 から 10.1.2
  • 10.0.0 から 10.0.1
  • 9.17.0 から 9.17.5
  • 9.16.0 から 9.16.1
  • 9.15.2
  • 9.14.0 から 9.14.1
  • 9.13.0 から 9.13.1
  • 9.12.0 to 9.12.25 (LTS)
  • 11.2.0 Data Center Only
  • 10.7.3 to 10.7.4 Data Center Only
  • 10.3.10 to 10.3.13 (LTS) recommended Data Center Only
  • 9.12.26 to 9.12.29 (LTS)
DoS (Denial of Service) Third-Party Dependency in Jira Software Data Center and ServerCVE-2025-489767.5 High
Jira Service Management Data Center および Server
  • 11.1.0 から 11.1.1
  • 11.0.0 から 11.0.1
  • 10.7.1 から 10.7.2
  • 10.6.0 から 10.6.1
  • 10.5.0 から 10.5.1
  • 10.4.0 から 10.4.1
  • 10.3.0 to 10.3.9 (LTS)
  • 10.2.0 から 10.2.1
  • 10.1.1 から 10.1.2
  • 10.0.0 から 10.0.1
  • 5.12.0 to 5.12.25 (LTS)
  • 11.2.0 Data Center Only
  • 10.7.3 to 10.7.4 Data Center Only
  • 10.3.10 to 10.3.13 (LTS) recommended Data Center Only
  • 5.12.26 to 5.12.29 (LTS)
DoS (Denial of Service) Third-Party Dependency in Jira Service Management Data Center and ServerCVE-2025-489767.5 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.

  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

最終更新日 2025 年 11 月 24 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.