Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2022/07/05 4:36 p.m.64 views

JSM: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Jira Service Management Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS1.7AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2021/12/17 7:3 p.m.64 views

Upgrade Logback for CVE-2021-42550

h3. Issue Summary In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9. Please note: There is no RCE in Logback, and there is no vulnerabili...

8.5CVSS1.8AI score0.04439EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.64 views

Issue watchers continue receiving updates even after their Jira account is revoked - CVE-2021-39119

h3. Summary Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are...

5.3CVSS5AI score0.00752EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/22 9:11 p.m.64 views

Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2021-25329|https://nvd.nist.gov/vuln/detail/CVE-2021-25329 and CVE-2021-25122|https://nvd.nist.gov/vuln/detail/CVE-2021-25122. The affected versions are before version 8.17.0. ...

7.5CVSS7.1AI score0.18114EPSS
Exploits15
Atlassian
Atlassian
added 2020/09/03 11:53 p.m.64 views

A URL to the unknown attachment place-holder utilizes http instead of https when https is configured

h3. Issue Summary A URL to the unknown attachment place-holder utilizes http instead of https when base URL is set to https, and tomcat server.xml scheme is set to https. h3. Steps to Reproduce Create a page and add an attachment to it. Open Attachments page from the view page and remove the...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/17 6:0 a.m.64 views

Spring Framework Vulnerability - CVE-2020-5398

h3. Issue Summary Security vulnerability scan gave a red flag for Spring Framework plugin version that is used in Bitbucket Server version 6.10.0. The CVE-2020-5398 is being noted from the report scan. h3. Description Plugin: Spring Framework 5.0.x 5.0.16 / 5.1.x 5.1.13 / 5.2.x 5.2.3 Spring...

8CVSS3.3AI score0.88077EPSS
Exploits2
Atlassian
Atlassian
added 2019/07/08 11:7 p.m.64 views

XSS in various types of nested wiki markup - CVE-2017-18102

The bundled version of atlassian-renderer in Fisheye before version 4.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently restricted to...

5.4CVSS3.2AI score0.00921EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/12/03 2:27 a.m.64 views

XSS in the two-dimensional filter statistics gadget on a Jira dashboard - CVE-2018-13403

The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of ...

5.4CVSS3.2AI score0.00944EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/21 12:23 a.m.64 views

Upgrade bundled Tomcat to 6.0.37

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29345. panel Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version...

6.8CVSS2.4AI score0.11975EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2024/04/16 9:46 p.m.63 views

REST API pagination (eg, /rest/api/space) returns more data than available

h3. Issue Summary This issue relates to general paginated results. Requesting data from an endpoint such as /rest/api/space or rest/api/content causes Confluence to return more data than available. This is reproducible on Data Center: yes h3. Steps to Reproduce Request /rest/api/space to collect...

7AI score
Exploits0
Atlassian
Atlassian
added 2023/12/05 6:46 a.m.63 views

RCE in Confluence Data Center and Server - CVE-2023-22522

h2. Summary of Vulnerability This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and...

9CVSS7.1AI score0.12844EPSS
Exploits0
Atlassian
Atlassian
added 2023/01/12 10:45 p.m.63 views

Critical severity authentication vulnerability - CVE-2023-22501

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled...

9.4CVSS3.9AI score0.15978EPSS
Exploits0
Atlassian
Atlassian
added 2021/06/30 3:9 a.m.63 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS9.6AI score0.48883EPSS
Exploits1
Atlassian
Atlassian
added 2021/05/06 8:5 a.m.63 views

Stored XSS on Jira Issue XML Export - CVE-2021-26082

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in XML Export. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0. Affected...

5.4CVSS4.3AI score0.00735EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:8 a.m.63 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6
Atlassian
Atlassian
added 2020/04/08 3:24 a.m.63 views

XSS via Issue Navigator Basic Search - CVE-2019-20414

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in Issue Navigator Basic Search. Affected versions: version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.13.9 8.4.2 8.5.0...

5.4CVSS4.4AI score0.01047EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/27 10:52 p.m.63 views

SSRF via WebDAV endpoint - CVE-2019-3395

There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance. Affected versions: All versions of Confluence Server and Confluence Data Center...

9.8CVSS2.9AI score0.06712EPSS
Exploits0
Atlassian
Atlassian
added 2019/01/29 1:26 a.m.63 views

Download a deleted page via word export - CVE-2018-20237

Atlassian Confluence Server from version 6.12.0 or earlier, and before version 6.13.1, or before version 6.14.0 allows an authenticated user to download a deleted page via the word export feature...

6.5CVSS4.4AI score0.01737EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/12/12 8:33 a.m.63 views

REST endpoint user impersonation using authentication module functionality - CVE-2017-16858

The 'crowd-application' plugin module notably used by the Google Apps plugin in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given th...

6.8CVSS6.4AI score0.00576EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/11/10 1:44 a.m.62 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1 and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7.2AI score0.99999EPSS
Exploits19
Atlassian
Atlassian
added 2022/03/15 7:56 p.m.62 views

Template Injection in Email Templates - bypass of mitigation via XStream - CVE-2022-36799

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Templat...

7.2CVSS7.8AI score0.44604EPSS
Exploits0
Atlassian
Atlassian
added 2021/11/01 9:59 p.m.62 views

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS3.9AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/07/02 12:39 a.m.62 views

Cached content persisting after disabling anonymous access for allowlist URLs - CVE-2021-39113

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version...

7.5CVSS5.9AI score0.01809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:45 p.m.62 views

Update application links to 5.4.23 to fix CVE-2020-5398

Affected versions of Atlassian FishEye and Crucible allow remote attackers to view sensitive information via an Information Disclosure vulnerability in a vulnerable version of the Application Links component. The affected versions are before version 4.8.6. Affected versions: version 4.8.6 Fixed...

8CVSS7.4AI score0.88077EPSS
Exploits2
Atlassian
Atlassian
added 2021/01/21 1:53 a.m.62 views

Username enumeration via password reset page - CVE-2021-39125

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS6.2AI score0.01401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:27 a.m.62 views

Missing permission check in several worklog rest resources - CVE-2019-8445

Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check...

5.3CVSS5.4AI score0.02711EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:50 p.m.62 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Fisheye before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Fisheye...

6.1CVSS1.5AI score0.87218EPSS
Exploits4
Atlassian
Atlassian
added 2019/02/28 3:2 a.m.62 views

Remote code execution via Widget Connector macro - CVE-2019-3396

There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. ...

10CVSS3.2AI score0.99913EPSS
Exploits20
Atlassian
Atlassian
added 2017/05/08 5:5 a.m.62 views

Command Injection (CVE-2017-8768)

SourceTree for Windows is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface. Affected versions: Versions of SourceTree for Windows starting with 0.8.4b before version 2.0.20.1 are affected by this...

10CVSS3.1AI score0.08262EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/09 3:15 a.m.62 views

reflected xss in the pageId request parameter in 500page.jsp

A scanner picked up that the pageId parameter in 500page.jsp is a potentially reflected xss bug. This can be exploited through a url like the following: https://example.com/pages/viewtrash.vm;editpage?pageId=%22%3E%3Cscript%3Ealert1%3C/script%3E code /images/icons/emoticons/warning.png" You can...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/06 5:45 p.m.61 views

FasterXML Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.9AI score0.02824EPSS
Exploits2
Atlassian
Atlassian
added 2023/10/06 5:44 p.m.61 views

jackson-databind Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.5AI score0.0486EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/10 4:57 a.m.61 views

Tomcat versions bundled with the Crowd product are vulnerable to CVE-2021-33037

The different Tomcat versions 8.5.X bundled to the Atlassian Crowd product versions lower than Crowd 4.4.1 are vulnerable to CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037 The Tomcat versions from 8.5.0 to 8.5.66 are affected by the mentioned...

5.3CVSS6AI score0.75353EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/04 1:52 a.m.61 views

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

4.3CVSS5AI score0.00736EPSS
Exploits0
Atlassian
Atlassian
added 2021/11/02 11:0 p.m.61 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bamboo) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bamboo where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or cod...

8.3CVSS8.3AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/08/18 1:0 a.m.61 views

Self-xss via copying content from a PDF - CVE-2021-39111

The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the handling of supplied content such a...

6.1CVSS3.2AI score0.00978EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/14 11:35 a.m.61 views

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

h3. Issue Summary The recently disclosed vulnerability regarding Apache Tomcat CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037, CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037 Base Score: 5.3 MEDIUM CVE-2021-42340|https://vulners.com/cve/CVE-2021-42340 NVD score not yet...

7.5CVSS6.5AI score0.75353EPSS
Exploits1
Atlassian
Atlassian
added 2021/01/25 7:2 a.m.61 views

Jira bundles a vulnerable version of atlassian-gadgets - CVE-2020-36232

The atlassian-gadgets plugin used in affected versions of Atlassian Jira Server and Data Center allows unexpected DNS lookups and requests to malicious servers via server side request forgery vulnerability. The affected versions are before version 8.5.10, from version 8.6.0 before version 8.13.2,...

5CVSS3.6AI score0.00975EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:40 a.m.61 views

Service enumeration via applinks/listEntityLinks/

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate internal services via an Information Disclosure vulnerability. The vulnerability is only exploitable if WebSudo is disabled in Jira. Affected versions: version 8.4.2 Fixed versions: 8.4.2 8.5.0...

5.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:50 a.m.61 views

Various XSS through a repository or review filename - CVE-2017-9508

Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a repository or review file...

5.4CVSS3.8AI score0.00826EPSS
Exploits0
Atlassian
Atlassian
added 2016/09/12 6:53 a.m.61 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluen...

7.5CVSS0.9AI score0.03743EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/05/27 4:0 a.m.61 views

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

5.4CVSS2.2AI score0.0071EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/11 8:30 a.m.61 views

getRedirect in JiraWebActionSupport redirects to unsafe URLs by default

In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/05/03 10:17 a.m.61 views

websudo does not work with Confluence when it's integrated with Crowd SSO

h5. Steps to reproduce Integrate with Crowd with SSO|http://confluence.atlassian.com/display/DOC/Connecting+to+Crowd+or+JIRA+for+User+Management Go to Confluence Admin, it does not prompt to enter password websudo Go to Security Configuration. Note that it will look something like this:...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/16 1:54 p.m.60 views

Page restrictions are not inherited for pages created from Templates

h3. Issue Summary Page restrictions are not inherited to child pages if the child page is created via Templates e.g Meeting notes template. This is reproducible on Data Center: yes h3. Steps to Reproduce Create a page and apply page restriction for some user View and edit restriction Create a chi...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2022/07/26 2:55 a.m.60 views

SSRF via CSV import into JSM Insight - CVE-2021-43959

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to access the content of internal network resources via a Server-Side Request Forgery SSRF vulnerability in the CSV importing feature of JSM Insight. When running in an environment...

5.7CVSS4.4AI score0.00602EPSS
Exploits0
Atlassian
Atlassian
added 2022/06/02 3:36 a.m.60 views

Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate

This is a duplicate of https://jira.atlassian.com/browse/CONFSERVER-79016 See the link above for more information on the issue...

9.8CVSS1.9AI score0.99999EPSS
Exploits75
Atlassian
Atlassian
added 2021/10/17 11:13 a.m.60 views

Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError

h3. Issue Summary Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError Base Score: 7.5 HIGH bq. The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once th...

7.5CVSS1.9AI score0.10997EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.60 views

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira...

7.2CVSS7.5AI score0.01832EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/09 1:38 p.m.60 views

Stored XSS via Custom Fields creation on AssociateFieldToScreens page - CVE-2021-39117

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting SXSS vulnerability in the Custom Fields creation feature on the AssociateFieldToScreens page. This bug was introduced in version 8.15.0, and i...

4.8CVSS3.8AI score0.00635EPSS
Exploits0Affected Software1
Total number of security vulnerabilities4295