Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/06/18 2:45 a.m.75 views

XSS in API and Integrations - CVE-2020-14166

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in API and Integrations. Affected versions: version 4.10.0 Fixed versions: 4.10.0...

4.8CVSS5.6AI score0.0194EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:23 a.m.75 views

User enumeration through the issueTable resource - CVE-2019-8446

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.7AI score0.1755EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:10 a.m.75 views

XSS in the editinword resource through the contents of an uploaded file - CVE-2017-18083

The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the contents of an uploaded file...

5.4CVSS5.1AI score0.00591EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/08 7:34 a.m.75 views

Applink configuration data is exposed anonymously

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-38225. panel If you make an anonymous GET request to /rest/issueLinkAppLink/1/appLink/info , the instance will tell you all the names, IDs an...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/08 3:44 a.m.74 views

Json-smart Vulnerability in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 4.20.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2022/10/12 9:46 p.m.74 views

Critical severity command injection vulnerability - CVE-2022-43781

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center...

9.8CVSS2.2AI score0.98076EPSS
Exploits3
Atlassian
Atlassian
added 2022/09/14 6:31 a.m.75 views

Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970

h3. Issue Summary spring-beans is vulnerable to CVE-2022-22970 This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 7.13.9 Step 2 h3. Expected Results Expect that synchrony-proxy/WEB-INF/lib contains spring-beans-5.3.20.jar or higher h3. Actual Results...

5.3CVSS6.2AI score0.01978EPSS
Exploits1
Atlassian
Atlassian
added 2020/09/16 3:8 a.m.74 views

User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies. The...

5.3CVSS3.6AI score0.99209EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:53 a.m.74 views

Open redirect in startup.jsp - CVE-2019-11585

The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect...

6.1CVSS5AI score0.01217EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/13 4:43 a.m.74 views

Multiple Vulnerabilities in JIRA Workflow Servlet

||Affected Versions|| |4.2.4 = version 6.3.0| An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way...

9.8CVSS4.6AI score0.16239EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2012/04/12 2:24 p.m.74 views

Confluence Page View Restriction is not Inherited when Ancestor CONFANCESTORS Table Gets out of Sync

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-25189. panel When Confluence ancestor CONFANCESTORS table gets out of sync or corrupted. Page View restriction are not inherite...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/24 5:42 a.m.74 views

Warn about assigning "Anyone" group in Global and Project permissions

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-18076. panel Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We ma...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/11/29 11:55 p.m.73 views

Upgrade Tomcat to fix CVE-2023-46589

h3. Issue Summary This is reproducible on Data Center: / Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a later version to fix CVE-2023-46589|https://nvd.nist.gov/vuln/detail/CVE-2023-46589 h3. Environment 8.1.x to 9.4.x h3. Steps to Reproduce Check the Apache Tomcat version...

7.5CVSS7AI score0.02651EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/10 11:5 a.m.73 views

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

Git LFS is vulnerable to remote code execution on Windows CVE-2021-21237: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix...

10CVSS5.1AI score0.82715EPSS
Exploits14Affected Software1
Atlassian
Atlassian
added 2016/02/04 2:48 a.m.73 views

Update Java version bundled found in the installer to a version >= 1.8u71

Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...

10CVSS2AI score0.14714EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/04/01 2:35 p.m.73 views

Avatars appear on Activity Stream even for anonymous users

Every user, independent of privileges, is able to see entries related to user's avatar change on Activity Stream. It also happens for users that are not logged in. See attached image...

3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/12/20 8:46 a.m.72 views

Upgrade Struts to avoid false-positive scanner warnings about CVE-2024-53677

h3. Issue Summary Recent CVE-2024-53677 at Struts triggers vulnerability scanners warning. panel:title=Bamboo is not affected Supported versions of Bamboo 9.2+, 9.6+, 10.2+ are not affected because FileUploadInterceptor doesn't handle uploaded files. panel h3. Steps to Reproduce See WEB-INB/lib...

9.8CVSS6.6AI score0.78198EPSS
Exploits15
Atlassian
Atlassian
added 2024/02/14 10:47 a.m.72 views

RCE (Remote Code Execution) org.apache.xmlgraphics:batik-bridge Dependency in Jira Software Data Center and Server

This High severity org.apache.xmlgraphics:batik-bridge Dependency RCE Remote Code Execution vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This org.apache.xmlgraphics:batik-bridge...

7.5CVSS7.7AI score0.02143EPSS
Exploits0
Atlassian
Atlassian
added 2023/06/23 7:25 p.m.72 views

Update Spring-Security used on Bitbucket to fix CVE-2023-20862

h3. Problem All Bitbucket versions, excluding 8.11.x, use Spring Security 5.7.7 or older, leading to Security scans listing Bitbucket as vulnerable to CVE-2023-20862|https://spring.io/security/cve-2023-20862. h3. Environment Any Bitbucket older than version 8.11.0 h3. Steps to Reproduce Check wha...

6.3CVSS6.8AI score0.00648EPSS
Exploits0
Atlassian
Atlassian
added 2022/04/20 8:14 p.m.72 views

A vulnerable version of Apache Tomcat was used in Jira Server (CVE-2020-9484, CVE-2022-23181)

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-9484 and CVE-2022-23181. The affected versions of Jira Server and Data Center are before version 8.13.20, from version 8.14.0 before 8.20.8, from version 8.21.0 before 8.22.2...

7CVSS7.3AI score0.56636EPSS
Exploits15
Atlassian
Atlassian
added 2019/10/17 7:26 p.m.72 views

Comment properties do not respect permissions

h3. Issue Summary Comment properties do not respect permissions on the comment like the docs say|https://docs.atlassian.com/software/jira/docs/api/REST/8.4.1/api/2/comment/%7BcommentId%7D/properties-getProperty This issue was reported via bugbounty...

Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:57 p.m.72 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Crucible before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Crucible...

6.1CVSS2AI score0.87218EPSS
Exploits4
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.72 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/01/06 2:2 a.m.71 views

Request smuggling via a vulnerable version of Apache Tomcat - CVE-2021-33037

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to request smuggling via CVE-2021-33037. The affected versions of Atlassian Jira Server and Data Center are before version 8.21.0. Affected versions: version 8.21.0 Fixed versions: 8.21....

5.3CVSS6AI score0.75353EPSS
Exploits1
Atlassian
Atlassian
added 2021/07/21 12:18 a.m.71 views

Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085

Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. This vulnerability was...

5.3CVSS5.5AI score0.99999EPSS
Exploits12
Atlassian
Atlassian
added 2021/05/06 8:5 a.m.71 views

Stored XSS on Jira Issue XML Export - CVE-2021-26082

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in XML Export. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0. Affected...

5.4CVSS4.3AI score0.00735EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:43 p.m.71 views

Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities

Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were: CVE-2012-0881 CVE-2019-10172 CVE-2018-1000632 CVE-2016-1000031 CVE-2014-0114...

9.8CVSS9AI score0.96121EPSS
Exploits12
Atlassian
Atlassian
added 2021/01/20 2:33 a.m.71 views

Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability BAC vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS6.5AI score0.01272EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/29 1:40 p.m.71 views

Upgrade Tomcat to version 9.0.37

h3. Issue Summary The current version of Tomcat 9.0.33 bundled with Confluence at least up to Confluence version 7.6 is vulnerable to HTTP/2 Denial of Service CVE-2020-11996 https://tomcat.apache.org/security-8.htmlFixedinApacheTomcat9.0.36...

7.5CVSS7.6AI score0.26699EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:13 a.m.71 views

XSS in Issue - Attachments - CVE-2020-4022

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Issue attachments. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed versions: 8.5.5 8.8.2 8.9....

6.1CVSS5.4AI score0.01135EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/27 3:45 a.m.71 views

RCE in jackson-databind

h3. Issue Summary Jira Server used a vulnerable version of jackson-databind . In specific, the issue was present in FasterXML jackson-databind 2.x before 2.9.10.2 . More information here: https://nvd.nist.gov/vuln/detail/CVE-2019-20330. Upgrade jackson-databind to at least version 2.9.10.20200103...

9.8CVSS1.2AI score0.0864EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.71 views

https://jira.atlassian.com/browse/JRASERVER-70409 for Bitbucket Server

The version of the Application Links plugin used in Bitbucket Server and Bitbucket Data Center before version 5.16.6, from version 6.0.0 before version 6.0.6, from version 6.1.0 before version 6.1.5, from version 6.2.0 before version 6.2.2, and from version 6.3.0 before version 6.3.1 allows remot...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/11 4:1 a.m.71 views

Confluence Server and Data Center - Atlassian Companion Man-in-the-Middle - CVE-2019-15006

h3. Issue Summary There was a man-in-the-middle MITM vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence...

6.5CVSS2AI score0.01905EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/17 2:15 a.m.71 views

Various Cross-site request forgery(CSRF) vulnerabilities in the Jira-importers-plugin - CVE-2017-18033

The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery CSRF vulnerabilities...

6.5CVSS7.1AI score0.00545EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/21 1:8 a.m.71 views

Administrators should have the ability to restrict access to the System dashboard and the Browse Projects Page

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-64165. panel Administrators should have the ability to restrict access to the System dashboard and the Browse Projects Page which by default...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/13 7:48 p.m.71 views

SourceTree 7za Vulnerability.

SourceTree Version 1.8.3 installs a 7za.exe C:\Program Files x86\Atlassian\SourceTree\tools\7za.exe in Version 9.20, which has known vulnerabilities: CVE-2016-2334 CVE-2016-2335 More information about the vulnerabilities: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html...

9.3CVSS1.7AI score0.14742EPSS
Exploits5
Atlassian
Atlassian
added 2016/03/02 3:34 p.m.71 views

Responses with Set-Cookie header cached

h3. Context We have Confluence running with SSO from Crowd. Confluence is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/02/01 7:34 p.m.70 views

Upgrade Moment.js to 2.22.1+ as required for CVE-2017-18214, CVE-2016-4055

Affected versions of Atlassian Jira Server and Data Center used versions of Moment.js that were vulnerable to CVE-2017-18214 and CVE-2016-4055. The affected versions of Atlassian Jira Server and Data Center are before version 8.22.0. Affected versions: version 8.22.0 Fixed versions: 9.3.1/9.4.0...

7.8CVSS6.9AI score0.09905EPSS
Exploits1
Atlassian
Atlassian
added 2021/08/25 4:24 a.m.70 views

Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a ServerSide Template Injection vulnerability in the Email Template feature. The affected...

9CVSS7.2AI score0.04483EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/02 12:39 a.m.70 views

Cached content persisting after disabling anonymous access for allowlist URLs - CVE-2021-39113

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version...

7.5CVSS5.9AI score0.01809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/12 3:50 p.m.70 views

8.5 and 8.13 LTS releases should bundle Tomcat 8.5.63 or higher

h3. Issue Summary The Apache Tomcat version used by the currently available LTS Long Term Support releases has a few vulnerabilities, therefore the next LTS release should bundle an updated version of Tomcat. h3. Steps to Reproduce Not applicable. h3. Expected Results Not applicable. h3. Actual...

7.5CVSS2AI score0.18114EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2020/06/01 4:50 a.m.70 views

bugbounty: User having no permission is able to delete users which are responsible for failed builds.

https://asecurityteam.atlassian.net/browse/BOUNTY-2643 h1. Summary Authorisation check missing in: /ajax/tracking/removeUserFromTracking.action h1. Steps to Reproduce Steps-Of-Reproduction:- Open two browsers and login as admin in one browser and normal user with another browser. Create a project...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/30 9:4 a.m.70 views

The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2020-1935|https://vulners.com/cve/CVE-2020-1935 CVE-2019-17569|https://vulners.com/cve/CVE-2019-17569 CVE-2020-1938|https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2020-1938 Which affects the following...

9.8CVSS7AI score0.9927EPSS
Exploits45
Atlassian
Atlassian
added 2020/04/16 7:46 p.m.70 views

Information disclosure in the /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin - CVE-2020-4017

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability...

5.3CVSS4.5AI score0.01245EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/16 6:55 p.m.70 views

Improper authorization vulnerablity in the /profile/deleteWatch.do resource- CVE-2020-4014

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability...

4.3CVSS5.9AI score0.00765EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:24 a.m.70 views

XSS via Issue Navigator Basic Search - CVE-2019-20414

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in Issue Navigator Basic Search. Affected versions: version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.13.9 8.4.2 8.5.0...

5.4CVSS4.4AI score0.01047EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.70 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Crucible before version 4.7.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3.2AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/30 2:30 a.m.70 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Confluence before version 6.15.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more detail...

5.4CVSS3.4AI score0.03401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/17 8:48 a.m.70 views

Update bundled Apache Tomcat due to security vulnerabilities

Apache has released the Apache Software Foundation Releases Security Updates: https://www.us-cert.gov/ncas/current-activity/2017/04/12/Apache-Software-Foundation-Releases-Security-Updates There are a few vulnerabilities reported: CVE-2017-5648 -...

9.8CVSS7.2AI score0.39633EPSS
Exploits7
Atlassian
Atlassian
added 2016/07/31 11:34 p.m.70 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect Confluence...

8.1CVSS2.8AI score0.00509EPSS
Exploits0Affected Software1
Total number of security vulnerabilities4295