Security Advisories & Bulletins
Security advisories for Atlassian server products are released on Tuesdays. Security Bulletins are released on the third Tuesday of every month. To search previous disclosures, see our Vulnerability Disclosure Portal. For information on Atlassian cloud security, see our Security page.
Security Advisories and Bulletins
- Security Bulletin - November 21 2023
- Security Bulletin - October 17 2023
- CVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability In Jira Service Management Data Center and Jira Service Management Server
- Security Bulletin - September 19 2023
- Security Bulletin - August 15 2023
- Security Bulletin - July 18 2023
What are Security Bulletins?
Security Bulletins provide you with detailed information about vulnerabilities mitigated in new versions, allowing you to make more informed decisions about updating our products outside of Critical Security Advisories requiring immediate action.
In addition to version upgrade recommendations, each Security Bulletin includes a high-level summary of the vulnerability, the CVSS score and severity (severity does not reflect risk; read more about CVSS), CVE ID, and a link to the detailed ticket on jira.atlassian.com.
What types of vulnerabilities are included in the Security Bulletin?
Security Bulletin disclosures include unique critical and high-severity vulnerabilities as well as dependency vulnerabilities, for our server and DC products.
Is there a Security Bulletin for Cloud customers?
No, the Security Bulletin is for server and DC products only. We are able to seamlessly patch Cloud vulnerabilities without any action required on the part of the customer. For information on Atlassian cloud security, see our Security page.
What do customers need to do when a Security Bulletin is released?
Upgrading to new versions in a timely manner is an important step in keeping your Atlassian server and DC products secure, and we encourage customers to keep versions current. Though we will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action, our goal with the Security Bulletin is to issue non-critical updates that can be supported on a regular maintenance schedule.
Is this change due to an increase in the number of vulnerabilities in Atlassian products?
No, the Security Bulletin and Portal are an enhancement to our ability to disclose fixed vulnerabilities, and do not reflect any changes in our processes to identify and fix them. The types of fixed vulnerabilities you will see in the new disclosures were previously fixed in released product versions. With this new monthly cadence, we’re able to offer greater transparency into the list of vulnerabilities mitigated under each new version (not just the most pressing) and encourage customers to support security best practices with a regular maintenance schedule. Atlassian will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action.