EUVD-2019-10661

Malware in sbrugna...

websudo does not work for space admins in Confluence version 8.5.1

h3. Issue Summary This is reproducible on the Data Center: yes Issue happens only on 8.5.1 and works fine on 8.5.0 h3. Steps to Reproduce 1. Install Confluence Data Center 8.5.1 2. Create a Confluence test user with can use permissions in Global permissions 3. Assign all the space permissions in ...

Atlassian Jira < 8.13.18 / 8.14.x < 8.20.6 / 8.21.x < 8.22.0 (JRASERVER-73594)

The version of Atlassian Jira installed on the remote host is prior to 8.13.18 / 8.14.x 8.20.6 / 8.21.x 8.22.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-73594 advisory. - Affected versions of Atlassian Jira Server and Data Center allow attackers with...

Atlassian Jira < 8.13.23 / 8.20.0 < 8.20.11 / 8.21.0 < 9.0.0 (JRASERVER-73597)

The version of Atlassian Jira installed on the remote host is prior to 8.13.23 / 8.20.0 8.20.11 / 8.21.0 9.0.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-73597 advisory. - Affected versions of Atlassian Jira Server and Data Center allow remote attackers with...

Admin user can change Base URL without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to change the Base URL of a Jira instance via a Broken Access Control vulnerability in the /rest/api/2/settings/baseUrl endpoint. The affected...

PT-2020-10434 · Atlassian · Jira

Name of the Vulnerable Software and Affected Versions: Atlassian Jira Server and Data Center versions prior to 8.4.2 Description: The issue allows remote attackers to enumerate internal services via an Information Disclosure vulnerability. This is only exploitable if WebSudo is disabled in Jira...

CVE-2019-20105

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have...

Improper access control

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have...

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Jira Server and Data Center before version 7.13.12, from version 8.0.0 before version 8.5.4 and from version 8.6.0 before version 8.6.1 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an...

Editing Applinks with Admin account without requiring Administrator Access (WebSudo)

h3. Issue Summary Applink can be edited without needing to log in with WebSudo access if given direct URL - $baseURL/plugins/servlet/applinks/edit/$appLink-ID User will still need to be an administrator to make this change as the page will only be accessible by an administrator as non-admin users...

CVE-2019-8443

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to...

Ability to have the Websudo functionality working with SAML / SSO

h3. Problem Definition When implementing SAML either through JDC or through a vendor plugin, the net result is you have to turn off websudo because you can't get websudo and SAML to work. The effect is you can go straight into administration functions without confirmation that you should. This...

Ability to have the Websudo functionality working with SAML / SSO

h3. Problem Definition When implementing SAML either through JDC or through a vendor plugin, the net result is you have to turn off websudo because you can't get websudo and SAML to work. The effect is you can go straight into administration functions without confirmation that you should. This...

Authorisation bypass in the ViewUpgrades resource - CVE-2019-8443

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to...

CVE-2018-13400

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version...

Several administrative resources missing WebSudo (improper access control vulnerability) - CVE-2018-13400

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version...

Several administrative resources missing WebSudo (improper access control vulnerability) - CVE-2018-13400

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version...

JIRA HTTP Dump Recorded Credential information As Text

Example steps to reproduce: Example 1: enable HTTP Access Logging and the HTTP dump log Change Password in the atlassian-jira-http-dump.log , the user's credential will be in the log as text Example 2: enable HTTP Access Logging and the HTTP dump log exit Administrations menu/logout go to any...

Administrator can change avatar without establishing a Secure Administrator Session (WebSudo)

Administrator can click on avatar of another user and change the avatar. This doesn't require the administrator user to establish a websudo session...

Administrator can change avatar without establishing a Secure Administrator Session (WebSudo)

Administrator can click on avatar of another user and change the avatar. This doesn't require the administrator user to establish a websudo session...