-
Public Security Vulnerability
-
Resolution: Fixed
-
High (View bug fix roadmap)
-
9.12.0, (32)
9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.12.5, 9.12.6, 9.12.7, 9.12.8, 9.12.9, 9.12.12, 9.12.10, 9.12.11, 9.12.13, 10.2.0, 9.12.14, 10.3.0, 10.3.1, 9.12.15, 9.12.16, 9.12.17, 9.12.18, 9.12.19, 9.12.20, 10.3.2, 10.3.3, 10.3.4, 10.4.0, 10.5.0, 10.6.0, 10.3.5, 9.12.21, 9.12.22 -
None
-
7.5
-
High
-
CVE-2025-31650
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
DoS (Denial of Service)
-
Jira Software Data Center, Jira Software Server
This High severity Third-Party Dependency vulnerability was introduced in versions 9.12.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, and 10.6.0 of Jira Software Data Center and Server.
This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.23
- Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.6
- Jira Software Data Center and Server 10.6: Upgrade to a release greater than or equal to 10.6.1
See the release notes (https://www.atlassian.com/software/jira/download-archives). You can download the latest version of Jira Software Data Center and Server from the download center (https://www.atlassian.com/software/jira/download-archives).
The National Vulnerability Database provides the following description for this vulnerability: Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
[JSWSERVER-26411] DoS (Denial of Service) Third-Party Dependency in Jira Software Data Center and Server
What about Jira DC LTS v9.12? Is that LTS affected or not? I don't see that in the latest published version v9.12.24 from 3 June 2025, above issue is solved, or am I missing here something?
We are currently running Jira DC 10.3.5 LTS which is affected by this vulnerability and according to Atlassian's recommendation, we need to upgrade to 10.3.6 LTS which is fine, This notice also identifies our current version of Apache Tomcat v9.0.102 as also being affected by this vulnerability and it is recommended to upgrade to v9.0.104; however, that version of Apache is not embedded (https://confluence.atlassian.com/adminjiraserver/bundled-tomcat-and-java-versions-1360072938.html) in the recommended Jira version 10.3.6 LTS.
Atlassian discourages upgrading apache manually so is v10.3.6 LTS going to be updated to include apache v9.0.104 and above?
11ec0d4c1264: We've opened a support ticket with Atlassian regarding this question. Atlassian might consider adding this information to this issue.
To summarize:
But: it depends on the fact if the "http2" connector at the Tomcat level is used: