Lucene search

K

Jira Software Server Security Vulnerabilities

cve
cve

CVE-2022-26137

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability:...

8.8CVSS

9AI Score

0.003EPSS

2022-07-20 06:15 PM
79
8
cve
cve

CVE-2022-26136

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and.....

9.8CVSS

9.1AI Score

0.008EPSS

2022-07-20 06:15 PM
126
8
cve
cve

CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0.....

6.5CVSS

6.2AI Score

0.028EPSS

2022-06-30 06:15 AM
87
9
cve
cve

CVE-2022-0540

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before...

9.8CVSS

9.5AI Score

0.228EPSS

2022-04-20 07:15 PM
255
3
cve
cve

CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint....

7.5CVSS

7.4AI Score

0.001EPSS

2021-12-08 04:15 AM
26
4
cve
cve

CVE-2021-41309

Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The...

5.3CVSS

5.2AI Score

0.001EPSS

2021-12-08 04:15 AM
28
4
cve
cve

CVE-2021-41310

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are...

6.1CVSS

5.9AI Score

0.001EPSS

2021-11-01 11:15 PM
36
cve
cve

CVE-2021-41305

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version...

7.5CVSS

7.4AI Score

0.012EPSS

2021-10-26 05:15 AM
39
cve
cve

CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...

6.5CVSS

6.3AI Score

0.001EPSS

2021-10-26 05:15 AM
42
cve
cve

CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from...

7.5CVSS

7.4AI Score

0.012EPSS

2021-10-26 05:15 AM
42
cve
cve

CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version...

7.5CVSS

7.5AI Score

0.01EPSS

2021-10-26 05:15 AM
37
cve
cve

CVE-2021-39127

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before...

5.3CVSS

5.2AI Score

0.002EPSS

2021-10-21 03:15 AM
44
cve
cve

CVE-2021-26071

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery...

3.5CVSS

4.4AI Score

0.0005EPSS

2021-04-01 03:15 AM
59
cve
cve

CVE-2020-36236

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version...

6.1CVSS

5.8AI Score

0.001EPSS

2021-02-15 12:15 AM
70
2
cve
cve

CVE-2020-36235

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before...

5.3CVSS

5.1AI Score

0.002EPSS

2021-02-15 12:15 AM
62
3
cve
cve

CVE-2020-36231

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before...

4.3CVSS

4.7AI Score

0.001EPSS

2021-02-02 12:15 AM
45
2
cve
cve

CVE-2020-14178

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0...

7.5CVSS

7.3AI Score

0.018EPSS

2020-09-01 05:15 AM
49
1
cve
cve

CVE-2020-14174

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before...

4.3CVSS

4.6AI Score

0.001EPSS

2020-07-13 05:15 AM
67
cve
cve

CVE-2019-20898

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version...

7.5CVSS

7.3AI Score

0.013EPSS

2020-07-13 01:15 AM
55
cve
cve

CVE-2019-20899

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before...

5.3CVSS

5.2AI Score

0.002EPSS

2020-07-13 01:15 AM
20
cve
cve

CVE-2019-20897

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before...

6.5CVSS

6.2AI Score

0.001EPSS

2020-07-13 01:15 AM
29
cve
cve

CVE-2020-14173

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version...

5.4CVSS

5.3AI Score

0.001EPSS

2020-07-03 02:15 AM
55
cve
cve

CVE-2020-14172

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote.....

9.8CVSS

9.8AI Score

0.003EPSS

2020-07-03 02:15 AM
58
cve
cve

CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version...

6.5CVSS

6.4AI Score

0.001EPSS

2020-07-03 01:15 AM
35
cve
cve

CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0.....

6.5CVSS

6.1AI Score

0.004EPSS

2020-07-03 12:00 AM
30
cve
cve

CVE-2020-4025

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site....

4.8CVSS

5AI Score

0.001EPSS

2020-07-01 02:15 AM
51
cve
cve

CVE-2020-4024

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml.....

5.4CVSS

5.2AI Score

0.001EPSS

2020-07-01 02:15 AM
47
cve
cve

CVE-2020-14169

The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS)...

6.1CVSS

5.9AI Score

0.001EPSS

2020-07-01 02:15 AM
46
cve
cve

CVE-2020-4029

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization...

4.3CVSS

4.6AI Score

0.001EPSS

2020-07-01 02:15 AM
78
cve
cve

CVE-2020-4022

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart...

6.1CVSS

5.8AI Score

0.001EPSS

2020-07-01 02:15 AM
56
cve
cve

CVE-2020-14168

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM)...

5.9CVSS

5.5AI Score

0.005EPSS

2020-07-01 02:15 AM
47
cve
cve

CVE-2020-14165

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization...

5.3CVSS

5.1AI Score

0.002EPSS

2020-07-01 02:15 AM
38
cve
cve

CVE-2020-14164

The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor...

6.1CVSS

6AI Score

0.001EPSS

2020-07-01 02:15 AM
39
cve
cve

CVE-2020-14167

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS)...

7.5CVSS

7.4AI Score

0.003EPSS

2020-07-01 02:15 AM
40
cve
cve

CVE-2019-20416

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version...

4.8CVSS

4.9AI Score

0.001EPSS

2020-06-30 03:15 AM
47
cve
cve

CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before...

4.3CVSS

4.6AI Score

0.001EPSS

2020-06-30 03:15 AM
61
cve
cve

CVE-2019-20414

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before...

5.4CVSS

5.3AI Score

0.001EPSS

2020-06-29 07:15 AM
26
cve
cve

CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types;...

5.3CVSS

5.2AI Score

0.002EPSS

2020-06-29 06:15 AM
25
cve
cve

CVE-2019-20413

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before...

7.5CVSS

7.4AI Score

0.003EPSS

2020-06-29 06:15 AM
28
cve
cve

CVE-2020-4028

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure...

5.3CVSS

5AI Score

0.001EPSS

2020-06-23 01:15 PM
28
cve
cve

CVE-2019-20409

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection...

9.8CVSS

10AI Score

0.005EPSS

2020-06-23 06:15 AM
41
cve
cve

CVE-2020-4021

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export...

5.4CVSS

5.3AI Score

0.001EPSS

2020-06-01 07:15 AM
47
cve
cve

CVE-2019-20407

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation...

4.3CVSS

4.4AI Score

0.001EPSS

2020-03-17 03:15 AM
62
cve
cve

CVE-2019-20402

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization...

4.9CVSS

5.1AI Score

0.001EPSS

2020-02-06 03:15 AM
77
cve
cve

CVE-2019-20106

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control...

4.3CVSS

4.6AI Score

0.001EPSS

2020-02-06 03:15 AM
87