Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/04/16 7:46 p.m.70 views

Information disclosure in the /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin - CVE-2020-4017

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability...

5.3CVSS4.5AI score0.01245EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.70 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Crucible before version 4.7.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3.2AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/30 2:30 a.m.70 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Confluence before version 6.15.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more detail...

5.4CVSS3.4AI score0.03401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/17 8:48 a.m.70 views

Update bundled Apache Tomcat due to security vulnerabilities

Apache has released the Apache Software Foundation Releases Security Updates: https://www.us-cert.gov/ncas/current-activity/2017/04/12/Apache-Software-Foundation-Releases-Security-Updates There are a few vulnerabilities reported: CVE-2017-5648 -...

9.8CVSS7.2AI score0.39633EPSS
Exploits7
Atlassian
Atlassian
added 2016/07/31 11:34 p.m.70 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect Confluence...

8.1CVSS2.8AI score0.00509EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/04/04 4:45 a.m.69 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Software Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in versions 8.20.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. This net.minidev:json-smart Dependency vulnerability, wit...

7.5CVSS7.7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2023/09/26 4:17 p.m.69 views

Cache Poisoning org.eclipse.jetty:jetty-server in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.10.1, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS9.3AI score0.06411EPSS
Exploits0
Atlassian
Atlassian
added 2023/05/22 5:35 a.m.69 views

Export feature adds clear text password to the directories configuration on the zip file - Import fails with "Can't decrypt data"

h3. Problem When exporting a Bamboo configuration, the resulting zip file will contain clear-text passwords on db-export/directories.xml. This introduces a security issue and a broken import with the following error: code:java 2023-05-22 15:18:52,590 INFO main SecretEncryptionServiceImpl Can't...

7.4AI score
Exploits0
Atlassian
Atlassian
added 2021/03/17 9:41 p.m.69 views

CSRF in the SetFeatureEnabled.jspa resource - CVE-2021-26071

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery CS...

3.5CVSS6.4AI score0.0049EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/22 11:35 a.m.69 views

Update Apache Struts 2 to avoid CVE-2020-17530

Update Apache Struts to 2.5.26 to avoid CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061...

9.8CVSS2.1AI score0.95922EPSS
Exploits11
Atlassian
Atlassian
added 2020/10/11 11:20 p.m.69 views

Security improvements to the Velocity Uberspector

This ticket documents an improvement to the Velocity Uberspector's security, locking down which classes can be accessed. This change is a defence-in-depth against potential Remote Code Execution RCE and Injection attacks. The versions which do not have this improvement are before version 8.12.3...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/20 4:18 p.m.69 views

XSS in branch name

h3. Issue Summary Advisory: Stored Cross-site scripting Description =========== Short summary of the vulnerability. A stored cross-site scripting XSS vulnerability was discovered in the Commits section of the Bitbucket application. An attacker can create a branch and inject an XSS payload into th...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/29 11:27 p.m.69 views

Information disclosure of project key existence vulnerability in Jira - CVE-2019-20403

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability...

5.3CVSS5.1AI score0.0147EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/18 1:19 p.m.69 views

The team calendar event notification should not contain Confluence version number

h3. Issue Summary The team calendar notification template shows the Confluence version number in the footer, which might be a security vulnerability for some customers. h3. Steps to Reproduce Create an event on the Confluence team calendar and wait for the reminder email to be sent. h3. Expected...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:48 a.m.69 views

The ViewLogging class exposed various resources that were vulnerable to CSRF - CVE-2019-11587

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery CSRF...

6.5CVSS5.9AI score0.00799EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:45 a.m.69 views

The ViewSystemInfo class doGarbageCollection method was vulnerable to CSRF - CVE-2019-11588

The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery CSRF vulnerability...

4.3CVSS6.3AI score0.00793EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/15 2:23 a.m.69 views

XSS in /includes/decorators/global-translations.jsp

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61888. panel Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: Tamper with a GET request to...

6.1CVSS5.9AI score0.02111EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2015/10/26 8:4 p.m.69 views

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

6.1CVSS0.6AI score0.02302EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2023/11/12 1:45 p.m.68 views

Deserialization com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.02656EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/18 7:56 p.m.68 views

Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

Update: 2022/04/08 23:00 UTC Coordinated Universal Time, +0 hours Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket Note the new CVE assignment does not change any other information in this advisory...

9.8CVSS3.2AI score0.71092EPSS
Exploits4
Atlassian
Atlassian
added 2021/11/01 8:34 p.m.68 views

Unicode characters allow malicious code to be hidden from a human reviewer (Confluence Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Confluence Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by th...

8.3CVSS3.8AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.68 views

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

7.5CVSS5.8AI score0.01621EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/16 3:40 a.m.68 views

Jira is affected by Tomcat CVE-2020-13943

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-13943|https://vulners.com/cve/CVE-2020-13943. The affected versions of Jira Server and Data Center are before version 8.5.14, from version 8.6.0 before 8.13.6, and from versi...

4.3CVSS5.4AI score0.57286EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/19 10:18 p.m.68 views

Project enumeration via Jira Projects plugin report page - CVE-2020-29451

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version...

4.3CVSS4.4AI score0.00846EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/29 5:19 a.m.68 views

XSS in Issue - Attachments - CVE-2020-4025

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a rdf content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

4.8CVSS5.1AI score0.00918EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/15 3:29 p.m.68 views

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2019-12418|https://vulners.com/cve/CVE-2019-12418 CVE-2019-17563|https://vulners.com/cve/CVE-2019-17563 Which affects the following versions: Apache Tomcat 8.x from 8.5.0 before 8.5.50 We should bundle a more...

9.8CVSS8.3AI score0.9927EPSS
Exploits45Affected Software1
Atlassian
Atlassian
added 2019/08/12 3:26 a.m.68 views

User enumeration in the login.jsp resource - CVE-2019-8448

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability...

5.3CVSS4.9AI score0.01809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.68 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

Application Links needs to be updated see https://ecosystem.atlassian.net/browse/APL-1356. The affected versions of Application Links is/are before version 5.4.4...

4.8CVSS2.1AI score0.00635EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/12 4:17 a.m.68 views

XSS through a project or filter name in the PieChart gadget - CVE-2017-16863

The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a project or filter...

6.1CVSS5.7AI score0.00809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/05/10 10:10 a.m.67 views

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bitbucket Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server...

7.8AI score
Exploits0
Atlassian
Atlassian
added 2023/10/08 8:44 a.m.67 views

RCE (Remote Code Execution) in - CVE-2022-1471

h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE Remote Code Execution. i Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed...

9.8CVSS9.8AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2023/03/23 10:26 p.m.67 views

Upgrade Postgres for CVE-2022-41946

h3. Issue Summary The version of Postgresql bundled in Bitbucket is affected by CVE-2022-41946|https://nvd.nist.gov/vuln/detail/CVE-2022-41946 as described below: quote pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either...

5.5CVSS5.5AI score0.0048EPSS
Exploits1
Atlassian
Atlassian
added 2021/10/28 2:54 a.m.67 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS4.2AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.67 views

Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References IDOR vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version...

7.5CVSS5.6AI score0.0157EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/04 2:52 p.m.67 views

Vulnerable version of XStream used in Jira Server and Data Center - CVE-2021-29505

Affected versions of Atlassian Jira Server and Data Center used versions of XStream that were vulnerable to security exploits including CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html. The affected versions of Jira Server and Data Center are before version 8.18.0. Affected versions:...

8.8CVSS8.3AI score0.77735EPSS
Exploits1
Atlassian
Atlassian
added 2020/10/28 5:45 p.m.67 views

Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

Affected versions of Atlassian Dev Tools allow remote attackers to browse local files via an Insecure Direct Object References IDOR vulnerability in WEB-INF in Fisheye/Crucible. The affected versions are before version 4.8.5. Affected versions: version 4.8.5 Fixed versions: 4.8.5 4.9.0...

5.3CVSS5.8AI score0.01144EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/08/03 12:57 a.m.67 views

Information disclosure of repository HTTP password in logs - CVE-2017-18112

Affected versions of Atlassian FishEye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. Affected versions: version 4.8.3 Fixed versions: 4.8.3 4.9.0...

6.5CVSS4.5AI score0.01019EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/29 5:18 a.m.67 views

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

5.4CVSS5.2AI score0.00926EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:50 a.m.67 views

XSS in malicious repository file

A malicious file added to a repository will cause an XSS to file inside of FishEye...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/06/01 6:40 a.m.67 views

JIRA puts a user's XSRF token in various resources.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61250. panel h5. Steps to Reproduce: Log into JIRA Log out from JIRA h5. Expected Results: The URL shown in the address bar does not show the...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/02/10 5:56 a.m.67 views

Security vulnerability in apache commons fileupload

Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library...

7.5CVSS4.5AI score0.83175EPSS
Exploits8Affected Software1
Atlassian
Atlassian
added 2022/06/22 4:5 p.m.66 views

Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user including a user who joined via the sign-up feature to perform a full read server-side request forgery via a batch endpoint. This affects Jira Management Server and Data Center versions from versi...

6.5CVSS4.8AI score0.71169EPSS
Exploits1
Atlassian
Atlassian
added 2022/05/27 8:29 p.m.66 views

Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user including a user who joined via the sign-up feature to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0...

6.5CVSS6.5AI score0.71169EPSS
Exploits1
Atlassian
Atlassian
added 2021/12/17 7:3 p.m.66 views

Upgrade Logback for CVE-2021-42550

h3. Issue Summary In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9. Please note: There is no RCE in Logback, and there is no vulnerabili...

8.5CVSS1.8AI score0.04439EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/11/01 10:27 p.m.66 views

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC and Insight Asset Management app where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These specia...

8.3CVSS2.9AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/04/26 5:57 a.m.66 views

Unauthenticated users can inject messages into the XSRF token error page

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to display arbitrary messages in the application via an injection vulnerability in the XSRF token error page. The affected versions are before version 8.5.14, and from version 8.6.0 before 8.12.1. ...

6.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/11 7:39 p.m.66 views

Tomcat PersistenceManager vulnerabilities - CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center are susceptible to Tomcat PersistenceManager vulnerabilities. Affected versions: ≤ 8.16.0 Fixed versions: pending...

7.5CVSS7.1AI score0.18114EPSS
Exploits15
Atlassian
Atlassian
added 2021/01/22 5:27 p.m.66 views

Accessing the URL /chart?filename=<file_name> exposes sensitive information - CVE-2021-26067

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions...

5.3CVSS4.6AI score0.0111EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.66 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/02 9:6 a.m.66 views

Active Directory/LDAP credentials stored in database in cleartext

We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data. We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database. Anyone who is able to compromise...

0.8AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295