Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Apache Tomcat CVE-2025-24813 for JIRA Version 9.12.16 .Upgrade to 10.5?

SJ
SJ March 23, 2025

We currently have JIRA Software Data Centre Version 9.12.16 and it has Application Server Container Apache Tomcat/9.0.97

A new vulnerability has been raised CVE-2025-24813 for Apache Tomcat

(https://nvd.nist.gov/vuln/detail/CVE-2025-24813)

Since Apache Tomcat is a packaged in Jira where can we find if this vulnerability has been addressed in a newer version  say  Jira Software 10.5.

Apache Tomcat ( Affects: 9.0.0.M1 to 9.0.98)  released a new version 9.0.99 with a fix for the vulnerability. Can we upgrade just the Apache Tomcat in Jira ?

Any advice will be appreciated

Answer
Watch
Like # people like this
1285 views

3 answers

1 accepted

4 votes
Answer accepted
Idan Bidani
Idan Bidani
Contributor
March 27, 2025

It's really disappointing to see the degrading attitude of the responses here. Your question is absolutely important and would benefit others. 

In my google and Atlassian's jira and Security Bulletin searches I couldn't find any official Atlassian reference to the CVE-2025-24813 nor if/how it's impacting Jira.
Per https://community.atlassian.com/forums/Jira-Service-Management/Re-Jira-Service-Management-Datacenter-check-for-CVE-2025/qaq-p/2975873/comment-id/202626#M202626 and my personal validation this shouldn't affect Atlassian Jira

I opened an issue asking if Atlassian can publish a page that inform whether a CVE is affecting its platforms? It's useful so every client won't have to research themselves

 

View More Comments
SJ
SJ March 31, 2025

Thank you for your kind words and appreciate your advice. This is what a community supposed to do. Help and guide in a civilised way. I am so new to Jira and dont have any admin access. Due to the Tomcat vulnerability, I was looking to find a solution. 

Now I can see the new version Jira 10.5 comes with Tomcat 9.0.100 ie the one with the fix. Yes I totally agree if Atlassian published something it will be a good reference. We have plugins as well and now looking into how those will get affected if we upgrade

Like # people like this
SJ
SJ April 10, 2025

Please refer my below comments

Like
Reply
0 votes
SJ
SJ April 10, 2025

Received a reply for support see below: 

this vulnerability affects Tomcat versions up to 9.0.98. The product team confirmed earlier that Jira installation is not affected by this vulnerability because Jira’s Default Servlet does not have write enabled by default, which is one of the conditions for this vulnerability to be exploited. 

Jira is not affected by this CVE based off the configuration of Tomcat we’re using. Specifically the readonly flag for DefaultServlet had not been set to false or to an illegal value, so Jira does not meet the requirements stated in the CVE

However, if your internal security team still has concerns, you can consider upgrading Jira to the latest LTS versions, such as 10.3.4. This version includes Tomcat 9.0.100, which is reassuringly not affected by CVE-2025-24813.

Reply
0 votes
SJ
SJ March 24, 2025

hi all ,

Since Apache Tomcat is a packaged in Jira where can we find info if this vulnerability CVE-2025-24813 has been addressed in the newer version   Jira Software 10.5.

Cant find anything in the release notes ?

View More Comments
Sunny Ape
Sunny Ape
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 24, 2025

[deleted by author]

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.