Greetings,
Our vulnerability scanner has indicated that our Jira Data Center version is affected by CVE-2025-53506 (among other CVEs affecting Apache Tomcat 9.0.106).
This CVE has been confirmed to affect other Atlassian products leveraging Apache Tomcat.
As however there is no reference for Jira Data Center in the August 2025 Security Bulletin linked above, we are unsure whether the CVE affects us or not, as we know that Jira is also based on Apache Tomcat.
Given the above, I have one suggestion and one question:
1. It would be great if security bulletins positively indicated what the status of a CVE for a product is, even if there is no fix.
Such statuses could be:
- "Not affected"
- "Investigating"
- etc.
2. Can anyone confirm whether any Jira Data Center versions are affected by CVE-2025-53506?
