Hello,
we got informed about a recent actively exploited vulnerability in Apache Tomcat tracked as [CVE-2025-24813|https://nvd.nist.gov/vuln/detail/CVE-2025-24813].
A CVSS Score was not assigned yet, but probably will be High since no authentication is required. The vulnerability can lead to a Remote Code Execution on Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98 under the following conditions:
- Writes enabled for the default servlet (readonly = "false") (disabled by default)
- Support for partial PUT is enabled (enabled by default)
- Security-sensitive uploads occur in a sub-directory of a public upload directory
- The attacker knows the names of security-sensitive files being uploaded
- These security-sensitive files are being uploaded using partial PUT
If the previous conditions are met, the vulnerability can be exploited with a PUT request containing a base64-encoded serialized Java payload saved to Tomcat's session storage.
Since Jira is provided with its own Apache Tomcat, we kindly ask your support in order to understand if our instance is impacted.
We are running Jira Service Management Datacenter version 5.12.16.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.