July 2025 Security Bulletin: What Atlassian Admins Need to Know

Overview

Atlassian has released its July 2025 Security Bulletin, highlighting 20 high-severity vulnerabilities across several Data Center and Server products. These include Remote Code Execution (RCE), Improper Authorization, Cross-Site Scripting (XSS), Denial of Service (DoS), and Man-in-the-Middle (MITM) risks.

This blog provides a summary of the key issues, the affected versions, and recommendations for administrators and IT teams to take action.

Key Highlights

• 20 vulnerabilities classified as high-severity (CVSS 7.0–8.8)
• Affected products include:
  • Jira Software / Jira Service Management
  • Confluence
  • Bitbucket
  • Bamboo
  • Crowd
• Cloud products are not impacted.
• Most vulnerabilities originate from third-party libraries used within Atlassian products
• Fixes are available via newly released product versions (some LTS)

Summary of Affected Products and Vulnerabilities

🔹 Jira Software & Jira Service Management

• XSS (Cross-Site Scripting) via DOMPurify (CVE-2024-45801)
• MITM in HTTPClient5 dependency (CVE-2025-27820)
• DoS / BASM / Improper Authorization in tomcat-catalina and spring-security-crypto

🔹 Confluence

• MITM vulnerability via httpclient5 (CVE-2025-27820)

🔹 Bitbucket

• Improper Authorization in embedded Tomcat core (CVE-2025-46701)

🔹 Bamboo

• RCE and DoS vulnerabilities from third-party dependencies (e.g. CVE-2025-48734, CVE-2025-48976)

🔹 Crowd

• RCE vulnerability from akka-actor library (CVE-2017-1000034)

What You Should Do

To reduce risk and align with best practices, Atlassian recommends:

1. Check your current versions against the bulletin.
2. Upgrade to the latest or LTS fixed versions listed in the advisory.
3. Follow Atlassian’s Security Bug Fix Policy to stay informed of any backports or exceptions.
4. Use the Vulnerability Disclosure Portal to verify exposure to disclosed CVEs.

If you're managing multiple instances or complex upgrade paths, it's helpful to test changes in a staging environment first and review any app compatibility concerns before deploying to production.

Why It Matters

Even though the bulletin does not include critical CVEs (which Atlassian typically discloses in separate advisories), high-severity vulnerabilities still pose a significant security and compliance risk, especially in environments with external access, third-party integrations, or sensitive data.

Staying Secure with ONETEEM

At ONETEEM, we help organizations stay on top of their Atlassian platform security by providing a straightforward and strategic path to the Cloud.

We understand that moving from on-premise to Cloud is a significant decision - often complex, resource-intensive, and closely tied to long-term business goals. That’s why we support your journey from both sides:

• Before the decision: We help you assess technical readiness, analyze risks, evaluate costs, and perform due diligence across compliance, performance, and licensing.
• After the decision: We guide you step by step - from strategic planning to full delivery - with tailored migration support, hands-on technical execution, and long-term platform governance.

Whether you're just beginning to evaluate Cloud or already preparing for a migration project, ONETEEM provides clarity, confidence, and continuity throughout the entire process.

Security is a shared responsibility, and staying ahead of vulnerability bulletins is a key part of a secure Atlassian lifecycle.

Resources

• Atlassian Security Bulletin

Questions or need support with your patching strategy?

Reach out to ONETEEM - we’re here to help keep your Atlassian platforms secure and stable.