Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2017/12/18 2:40 a.m.73 views

XSS through the jqlQuery query parameter to the printable searchrequest issue resource - CVE-2017-14594

The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the jqlQuery query parameter...

6.1CVSS5.7AI score0.01039EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/13 4:43 a.m.73 views

Multiple Vulnerabilities in JIRA Workflow Servlet

||Affected Versions|| |4.2.4 = version 6.3.0| An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way...

9.8CVSS4.6AI score0.16239EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2016/02/04 2:48 a.m.73 views

Update Java version bundled found in the installer to a version >= 1.8u71

Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...

10CVSS2AI score0.14714EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/08 7:34 a.m.73 views

Applink configuration data is exposed anonymously

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-38225. panel If you make an anonymous GET request to /rest/issueLinkAppLink/1/appLink/info , the instance will tell you all the names, IDs an...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/04/01 2:35 p.m.73 views

Avatars appear on Activity Stream even for anonymous users

Every user, independent of privileges, is able to see entries related to user's avatar change on Activity Stream. It also happens for users that are not logged in. See attached image...

3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/24 5:42 a.m.73 views

Warn about assigning "Anyone" group in Global and Project permissions

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-18076. panel Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We ma...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/12/20 8:46 a.m.72 views

Upgrade Struts to avoid false-positive scanner warnings about CVE-2024-53677

h3. Issue Summary Recent CVE-2024-53677 at Struts triggers vulnerability scanners warning. panel:title=Bamboo is not affected Supported versions of Bamboo 9.2+, 9.6+, 10.2+ are not affected because FileUploadInterceptor doesn't handle uploaded files. panel h3. Steps to Reproduce See WEB-INB/lib...

9.8CVSS6.6AI score0.78198EPSS
Exploits15
Atlassian
Atlassian
added 2024/02/14 10:47 a.m.72 views

RCE (Remote Code Execution) org.apache.xmlgraphics:batik-bridge Dependency in Jira Software Data Center and Server

This High severity org.apache.xmlgraphics:batik-bridge Dependency RCE Remote Code Execution vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This org.apache.xmlgraphics:batik-bridge...

7.5CVSS7.7AI score0.02143EPSS
Exploits0
Atlassian
Atlassian
added 2023/06/23 7:25 p.m.72 views

Update Spring-Security used on Bitbucket to fix CVE-2023-20862

h3. Problem All Bitbucket versions, excluding 8.11.x, use Spring Security 5.7.7 or older, leading to Security scans listing Bitbucket as vulnerable to CVE-2023-20862|https://spring.io/security/cve-2023-20862. h3. Environment Any Bitbucket older than version 8.11.0 h3. Steps to Reproduce Check wha...

6.3CVSS6.8AI score0.00648EPSS
Exploits0
Atlassian
Atlassian
added 2022/04/20 8:14 p.m.72 views

A vulnerable version of Apache Tomcat was used in Jira Server (CVE-2020-9484, CVE-2022-23181)

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-9484 and CVE-2022-23181. The affected versions of Jira Server and Data Center are before version 8.13.20, from version 8.14.0 before 8.20.8, from version 8.21.0 before 8.22.2...

7CVSS7.3AI score0.56636EPSS
Exploits15
Atlassian
Atlassian
added 2021/03/10 11:5 a.m.72 views

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

Git LFS is vulnerable to remote code execution on Windows CVE-2021-21237: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix...

10CVSS5.1AI score0.82715EPSS
Exploits14Affected Software1
Atlassian
Atlassian
added 2020/06/16 2:46 a.m.72 views

XSS in WYSIWYG editor via pasted code - CVE-2020-14164

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the WYSIWYG editor. The affected versions are before 8.5.9, and from version 8.6.0 before 8.8.2. Affected versions: version...

6.1CVSS4.8AI score0.00732EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/17 7:26 p.m.72 views

Comment properties do not respect permissions

h3. Issue Summary Comment properties do not respect permissions on the comment like the docs say|https://docs.atlassian.com/software/jira/docs/api/REST/8.4.1/api/2/comment/%7BcommentId%7D/properties-getProperty This issue was reported via bugbounty...

Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:23 a.m.72 views

User enumeration through the issueTable resource - CVE-2019-8446

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.7AI score0.1755EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:57 p.m.72 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Crucible before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Crucible...

6.1CVSS2AI score0.87218EPSS
Exploits4
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.72 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/01/06 2:2 a.m.71 views

Request smuggling via a vulnerable version of Apache Tomcat - CVE-2021-33037

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to request smuggling via CVE-2021-33037. The affected versions of Atlassian Jira Server and Data Center are before version 8.21.0. Affected versions: version 8.21.0 Fixed versions: 8.21....

5.3CVSS6AI score0.75353EPSS
Exploits1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.71 views

Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the GIF Image Reader component. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed versions...

5.5CVSS6.5AI score0.01066EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/21 12:18 a.m.71 views

Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085

Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. This vulnerability was...

5.3CVSS5.5AI score0.99999EPSS
Exploits12
Atlassian
Atlassian
added 2021/05/06 8:2 a.m.71 views

Vulnerability in Search Template Leads to Reflected XSS JIRA Software Server - CVE-2021-26078

Affected versions of Jira Server and Jira Data Center have a XSS vulnerability in the number range searcher component which allows remote attackers to inject arbitrary HTML or JavaScript. Affected versions: versions 8.5.14 8.6.0 ≤ version 8.13.6 8.14.0 ≤ version 8.16.1 Fixed versions: 8.5.14...

6.1CVSS3.8AI score0.04049EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:43 p.m.71 views

Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities

Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were: CVE-2012-0881 CVE-2019-10172 CVE-2018-1000632 CVE-2016-1000031 CVE-2014-0114...

9.8CVSS9AI score0.96121EPSS
Exploits12
Atlassian
Atlassian
added 2021/01/20 2:33 a.m.71 views

Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability BAC vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS6.5AI score0.01272EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/29 1:40 p.m.71 views

Upgrade Tomcat to version 9.0.37

h3. Issue Summary The current version of Tomcat 9.0.33 bundled with Confluence at least up to Confluence version 7.6 is vulnerable to HTTP/2 Denial of Service CVE-2020-11996 https://tomcat.apache.org/security-8.htmlFixedinApacheTomcat9.0.36...

7.5CVSS7.6AI score0.26699EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:13 a.m.71 views

XSS in Issue - Attachments - CVE-2020-4022

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Issue attachments. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed versions: 8.5.5 8.8.2 8.9....

6.1CVSS5.4AI score0.01135EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/27 3:45 a.m.71 views

RCE in jackson-databind

h3. Issue Summary Jira Server used a vulnerable version of jackson-databind . In specific, the issue was present in FasterXML jackson-databind 2.x before 2.9.10.2 . More information here: https://nvd.nist.gov/vuln/detail/CVE-2019-20330. Upgrade jackson-databind to at least version 2.9.10.20200103...

9.8CVSS1.2AI score0.0864EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.71 views

https://jira.atlassian.com/browse/JRASERVER-70409 for Bitbucket Server

The version of the Application Links plugin used in Bitbucket Server and Bitbucket Data Center before version 5.16.6, from version 6.0.0 before version 6.0.6, from version 6.1.0 before version 6.1.5, from version 6.2.0 before version 6.2.2, and from version 6.3.0 before version 6.3.1 allows remot...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/11 4:1 a.m.71 views

Confluence Server and Data Center - Atlassian Companion Man-in-the-Middle - CVE-2019-15006

h3. Issue Summary There was a man-in-the-middle MITM vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence...

6.5CVSS2AI score0.01905EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/17 2:15 a.m.71 views

Various Cross-site request forgery(CSRF) vulnerabilities in the Jira-importers-plugin - CVE-2017-18033

The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery CSRF vulnerabilities...

6.5CVSS7.1AI score0.00545EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/13 7:48 p.m.71 views

SourceTree 7za Vulnerability.

SourceTree Version 1.8.3 installs a 7za.exe C:\Program Files x86\Atlassian\SourceTree\tools\7za.exe in Version 9.20, which has known vulnerabilities: CVE-2016-2334 CVE-2016-2335 More information about the vulnerabilities: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html...

9.3CVSS1.7AI score0.14742EPSS
Exploits5
Atlassian
Atlassian
added 2016/03/02 3:34 p.m.71 views

Responses with Set-Cookie header cached

h3. Context We have Confluence running with SSO from Crowd. Confluence is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/02/01 7:34 p.m.70 views

Upgrade Moment.js to 2.22.1+ as required for CVE-2017-18214, CVE-2016-4055

Affected versions of Atlassian Jira Server and Data Center used versions of Moment.js that were vulnerable to CVE-2017-18214 and CVE-2016-4055. The affected versions of Atlassian Jira Server and Data Center are before version 8.22.0. Affected versions: version 8.22.0 Fixed versions: 9.3.1/9.4.0...

7.8CVSS6.9AI score0.09905EPSS
Exploits1
Atlassian
Atlassian
added 2021/08/25 4:24 a.m.70 views

Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a ServerSide Template Injection vulnerability in the Email Template feature. The affected...

9CVSS7.2AI score0.04483EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/09/16 3:8 a.m.70 views

User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies. The...

5.3CVSS3.6AI score0.99209EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/06/01 4:50 a.m.70 views

bugbounty: User having no permission is able to delete users which are responsible for failed builds.

https://asecurityteam.atlassian.net/browse/BOUNTY-2643 h1. Summary Authorisation check missing in: /ajax/tracking/removeUserFromTracking.action h1. Steps to Reproduce Steps-Of-Reproduction:- Open two browsers and login as admin in one browser and normal user with another browser. Create a project...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/30 9:4 a.m.70 views

The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2020-1935|https://vulners.com/cve/CVE-2020-1935 CVE-2019-17569|https://vulners.com/cve/CVE-2019-17569 CVE-2020-1938|https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2020-1938 Which affects the following...

9.8CVSS7AI score0.9927EPSS
Exploits45
Atlassian
Atlassian
added 2020/04/16 6:55 p.m.70 views

Improper authorization vulnerablity in the /profile/deleteWatch.do resource- CVE-2020-4014

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability...

4.3CVSS5.9AI score0.00765EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.70 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Crucible before version 4.7.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3.2AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/30 2:30 a.m.70 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Confluence before version 6.15.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more detail...

5.4CVSS3.4AI score0.03401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/17 8:48 a.m.70 views

Update bundled Apache Tomcat due to security vulnerabilities

Apache has released the Apache Software Foundation Releases Security Updates: https://www.us-cert.gov/ncas/current-activity/2017/04/12/Apache-Software-Foundation-Releases-Security-Updates There are a few vulnerabilities reported: CVE-2017-5648 -...

9.8CVSS7.2AI score0.39633EPSS
Exploits7
Atlassian
Atlassian
added 2017/02/21 1:8 a.m.70 views

Administrators should have the ability to restrict access to the System dashboard and the Browse Projects Page

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-64165. panel Administrators should have the ability to restrict access to the System dashboard and the Browse Projects Page which by default...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/31 11:34 p.m.70 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect Confluence...

8.1CVSS2.8AI score0.00509EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/12 2:24 p.m.70 views

Confluence Page View Restriction is not Inherited when Ancestor CONFANCESTORS Table Gets out of Sync

When Confluence ancestor CONFANCESTORS table gets out of sync or corrupted. Page View restriction are not inherited to the child pages. This might be quite random, as in not every child pages are affected. IMHO, we should have CONF-25188 implemented to help this out. h5. Workaround Please follow...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/04/04 4:45 a.m.69 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Software Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in versions 8.20.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. This net.minidev:json-smart Dependency vulnerability, wit...

7.5CVSS7.7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2023/09/26 4:17 p.m.69 views

Cache Poisoning org.eclipse.jetty:jetty-server in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.10.1, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS9.3AI score0.06411EPSS
Exploits0
Atlassian
Atlassian
added 2023/05/22 5:35 a.m.69 views

Export feature adds clear text password to the directories configuration on the zip file - Import fails with "Can't decrypt data"

h3. Problem When exporting a Bamboo configuration, the resulting zip file will contain clear-text passwords on db-export/directories.xml. This introduces a security issue and a broken import with the following error: code:java 2023-05-22 15:18:52,590 INFO main SecretEncryptionServiceImpl Can't...

7.4AI score
Exploits0
Atlassian
Atlassian
added 2021/04/12 3:50 p.m.69 views

8.5 and 8.13 LTS releases should bundle Tomcat 8.5.63 or higher

h3. Issue Summary The Apache Tomcat version used by the currently available LTS Long Term Support releases has a few vulnerabilities, therefore the next LTS release should bundle an updated version of Tomcat. h3. Steps to Reproduce Not applicable. h3. Expected Results Not applicable. h3. Actual...

7.5CVSS2AI score0.18114EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2021/03/17 9:41 p.m.69 views

CSRF in the SetFeatureEnabled.jspa resource - CVE-2021-26071

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery CS...

3.5CVSS6.4AI score0.0049EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/22 11:35 a.m.69 views

Update Apache Struts 2 to avoid CVE-2020-17530

Update Apache Struts to 2.5.26 to avoid CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061...

9.8CVSS2.1AI score0.95922EPSS
Exploits11
Atlassian
Atlassian
added 2020/10/11 11:20 p.m.69 views

Security improvements to the Velocity Uberspector

This ticket documents an improvement to the Velocity Uberspector's security, locking down which classes can be accessed. This change is a defence-in-depth against potential Remote Code Execution RCE and Injection attacks. The versions which do not have this improvement are before version 8.12.3...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/20 4:18 p.m.69 views

XSS in branch name

h3. Issue Summary Advisory: Stored Cross-site scripting Description =========== Short summary of the vulnerability. A stored cross-site scripting XSS vulnerability was discovered in the Commits section of the Bitbucket application. An attacker can create a branch and inject an XSS payload into th...

0.4AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295