Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/09/14 1:58 a.m.51 views

CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]

Atlassian Confluence Server and Data Center is not affected by CVE-2019-0230 Apache Struts Potential Remote Code Execution Vulnerability...

9.8CVSS4.5AI score0.97399EPSS
Exploits15
Atlassian
Atlassian
added 2020/03/18 4:4 p.m.51 views

Opening 404 page (page not found) without user session will open 404 page instead of opening login page.

h3. Issue Summary Opening a random page on Crowd with a user that is not authenticated will display "Page not found" 404 page instead of the login page. h3. Steps to Reproduce Make sure you are not logged in. Try to open BaseURL/ABC h3. Expected Results As you do not have session information you...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/11 3:21 a.m.51 views

Authorization bypass allows information disclosure - CVE-2019-15003

h3. Authorization bypass allows information disclosure - CVE-2019-15003 h4. Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels|https://www.atlassian.com/security/security-severity-levels. The scale allow...

7.5CVSS1.7AI score0.03907EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/01 5:11 a.m.51 views

Update jQuery to address CVE-2019-11358

The version of jQuery used in Jira before 8.2.3 was vulnerable to CVE-2019-11358. This issue was addressed by updating Jira server to use a patched & custom version of jQuery 2.2.4.7...

6.1CVSS2.9AI score0.87218EPSS
Exploits4
Atlassian
Atlassian
added 2019/07/08 11:36 p.m.52 views

Upgrade Xstream to address CVE-2016-3674

The bundled version of XStream in Crucible before version 4.7.1 was vulnerable to CVE-2016-3674 https://nvd.nist.gov/vuln/detail/CVE-2016-3674...

7.5CVSS1.7AI score0.08179EPSS
Exploits0
Atlassian
Atlassian
added 2017/08/08 10:58 p.m.51 views

Granting Current Assignee to the Administer Project permissions will allow user to view all Projects

h3. Summary Granting Current Assignee to the Administer Project permissions will allow users to see ALL Projects that are assigned to that Permission Scheme. You can see the projects even if the user does not have any assigned issues in the project or even if the user is not listed as...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/12 6:27 a.m.51 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to...

7.5CVSS1AI score0.03743EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/04 1:6 p.m.51 views

Workbox Plugin loads full HTML of JIRA comment, leads to GC loop of death on large comment

To reproduce: start Confluence with GC logging enabled optional, but helps Link Confluence and JIRA create an issue in JIRA watch it add a large comment to the JIRA issue, e.g. paste a 7.7MB log file between \code\ tags open the workbox in Confluence optional: in network tab of web developer tool...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/05/12 7:34 a.m.51 views

Update the version of commons-httpclient to address CVE-2012-5783 & CVE-2014-3577 and gain SNI support

Upgrade commons-httpclient to version 3.1-atlassian-2 to gain SNI support and to fix CVE-2012-5783 & CVE-2014-3577...

7.6AI score
Exploits0
Atlassian
Atlassian
added 2024/06/12 6:10 p.m.50 views

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N...

7.9AI score
Exploits0
Atlassian
Atlassian
added 2024/04/18 1:10 a.m.50 views

Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, and 9.15.0 of Jira Software Data Center and Server. This...

8.2CVSS6.7AI score0.00948EPSS
Exploits0
Atlassian
Atlassian
added 2023/09/07 2:1 a.m.50 views

Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 8.1.12 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with CVSS Scores of 7.5, and CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an attacker to expose assets in yo...

7.5CVSS6.5AI score0.46836EPSS
Exploits1
Atlassian
Atlassian
added 2022/04/20 8:14 p.m.50 views

Reflected XSS on /secure/TeamManagement.jspa via "planUrl" parameter - CVE-2022-36801

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting RXSS vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8. Affected versions:...

6.1CVSS5.8AI score0.64863EPSS
Exploits0
Atlassian
Atlassian
added 2021/12/22 3:16 a.m.50 views

Import source configuration information is leaked via the Insight Import Source feature - CVE-2021-43950

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature. The affected versions are before version 4.21.0...

4.3CVSS4.6AI score0.00845EPSS
Exploits0
Atlassian
Atlassian
added 2021/12/22 3:14 a.m.50 views

An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are before version 4.21.0. Affected versions: version 4.21.0 Fix...

4.3CVSS6.3AI score0.00809EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/25 1:26 a.m.50 views

Non-administrators can edit the File Replication settings - CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...

6.5CVSS5.5AI score0.00981EPSS
Exploits0
Atlassian
Atlassian
added 2021/08/18 1:0 a.m.50 views

Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE-2021-39121

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from...

4.3CVSS5.5AI score0.01141EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/22 4:54 a.m.50 views

Persistent XSS through Team Calendar in Confluence Server - CVE-2020-29444

Affected versions of Team Calendar in Confluence Server allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting vulnerability in admin global setting parameters. h3. Affected versions: 7.11.0 h3. Fixed version: 7.11.0 This vulnerability is attributed to Stefano...

5.4CVSS3AI score0.00928EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/07/01 6:16 p.m.50 views

Information disclosure in API and Integrations - CVE-2020-14180

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. Affected versions:...

4.3CVSS5.8AI score0.00848EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:44 a.m.50 views

SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF vulnerability due to a logic bug in the JiraWhitelist class. Important Note: The patch is deployed in f...

6.5CVSS6.5AI score0.94453EPSS
Exploits2
Atlassian
Atlassian
added 2019/04/29 3:8 a.m.50 views

XSS in the activity stream gadget via the country parameter - CVE-2018-20827

The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the country parameter...

5.4CVSS4.9AI score0.00756EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/12/20 2:41 p.m.50 views

Sprint End Date in a distant future causes OutOfMemoryError

h3. Summary Jira Software REST API /rest/agile/1.0/sprint/ is allowing to enter a date in the future, much higher than what is allowed by the UI . That causes Jira to hit OutOfMemoryError when loading a board based on a sprint having a big number of years as "End Date" due to excessive object...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/10 9:22 a.m.50 views

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

h4. Open redirect in default servlet CVE-2018-11784|https://access.redhat.com/security/cve/cve-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory e.g. redirecting to '/foo/' when the user...

4.3CVSS3.6AI score0.94494EPSS
Exploits3
Atlassian
Atlassian
added 2018/07/12 9:35 a.m.50 views

Non Calendar Creator can see the Username and Password Fields to a Calendar subscribed from URL

h3. Summary Non Calendar Creator can see the Username and Password Fields to a Calendar subscribed from URL h3. Environment Confluence 6.7.2 Team Calendar 6.0.17 h3. Steps to Reproduce Login as UserA Calendar Creator Create a new Calendar with the Subscribe by URL option Subscribe to any external...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/05 4:34 p.m.50 views

Users with the same name as an inactive user in a higher priority directory get all that users memberships

h3. Summary In embedded Crowd in at least JIRA and Confluence, when a user is made inactive but retains its groups, then if a lower priority directory has a new user created with the same name, it now inherits their memberships. It seems like the logic used to determine the user authentication by...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/13 7:48 p.m.50 views

SourceTree 7za Vulnerability.

SourceTree Version 1.8.3 installs a 7za.exe C:\Program Files x86\Atlassian\SourceTree\tools\7za.exe in Version 9.20, which has known vulnerabilities: CVE-2016-2334 CVE-2016-2335 More information about the vulnerabilities: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html...

9.3CVSS1.7AI score0.14742EPSS
Exploits5Affected Software1
Atlassian
Atlassian
added 2016/05/27 4:0 a.m.50 views

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

5.4CVSS2.2AI score0.0071EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.49 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVS...

7.5CVSS6.3AI score0.0043EPSS
Exploits0
Atlassian
Atlassian
added 2025/04/01 10:57 p.m.49 views

XXE (XML External Entity Injection) in Jira Core Data Center and Server and Jira Software Server

This High severity XXE XML External Entity Injection vulnerability was introduced in version 9.12.0 of Jira Core Data Center and Server and Jira Software Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.7, allows an attacker to access local and remote content...

7.5CVSS6.5AI score0.19442EPSS
Exploits1
Atlassian
Atlassian
added 2024/07/11 7:10 a.m.49 views

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Crowd Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8AI score
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:51 a.m.49 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8.1CVSS7AI score0.09346EPSS
Exploits1
Atlassian
Atlassian
added 2024/01/17 6:46 a.m.49 views

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server

This High severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 6.10.0 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.02651EPSS
Exploits0
Atlassian
Atlassian
added 2023/10/06 5:45 p.m.49 views

FasterXML Vulnerability in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.1.0, 9.2.1, and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.8AI score0.02824EPSS
Exploits2
Atlassian
Atlassian
added 2023/10/04 7:45 p.m.49 views

com.google.code.gson Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.7CVSS6.8AI score0.1158EPSS
Exploits0
Atlassian
Atlassian
added 2023/10/04 7:45 p.m.49 views

Jettison Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.01395EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/07 8:15 a.m.49 views

CVE-2021-43955: /rest-service-fecru/server-v1 leaks information about installation directories

The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. Affected versions: version 4.8.9 Fixed versions: 4.8.9...

4.3CVSS5.9AI score0.00841EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.49 views

Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References IDOR vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version...

7.5CVSS5.6AI score0.0157EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/10/13 6:33 a.m.49 views

Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.21....

4.3CVSS6.8AI score0.00842EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/01/12 11:53 p.m.49 views

Html Macros should respect authenticated user based on allowlist API

Gadgets have moved to use whitelist.isAllowedURI, Userkey to give more controls to admins to whether allow anonymous users or not. More details on the whitelist API changes can be found here: https://asecurityteam.atlassian.net/browse/VULN-217900 We had to enable the old behaviour of...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/23 12:5 a.m.49 views

XXE in OpenID client application - CVE-2019-20104

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. This issue was addressed by disabling the OpenID client application in Crowd. Please ...

7.5CVSS3.8AI score0.02434EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/12/17 2:10 a.m.49 views

Various Jira Server setup resources are vulnerable to XSRF/CSRF - CVE-2019-20401

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery CSRF vulnerabilities. Once a Jira instance is setup i.e. database, admin account, licence, etc. form ar...

6.5CVSS4AI score0.00794EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:47 a.m.49 views

XSS in various templates of the Optimization plugin - CVE-2019-8450

Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of a custom...

4.8CVSS4.1AI score0.00879EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/05/06 4:6 a.m.49 views

Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580

Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code...

9.8CVSS9.7AI score0.95355EPSS
Exploits6
Atlassian
Atlassian
added 2019/01/23 10:56 p.m.49 views

Input validation vulnerability via Git in Sourcetree for Windows - CVE-2018-17456

There was an input validation vulnerability in Sourcetree for Windows via a Git repository with submodules. A remote attacker with permission to commit to a Git repository linked in Sourcetree for Windows is able to able to exploit this issue to gain code execution on the system. h4. Affected...

9.8CVSS4.6AI score0.97356EPSS
Exploits12
Atlassian
Atlassian
added 2017/07/17 7:50 a.m.49 views

Various XSS through a repository or review filename - CVE-2017-9508

Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a repository or review file...

5.4CVSS3.8AI score0.00826EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/15 2:23 a.m.49 views

XSS in /includes/decorators/global-translations.jsp

Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: Tamper with a GET request to http:///includes/decorators/global-translations.jsp with the Host header set to some XSS payload e.g. codealert/xss/code The offending lines in code pick this payload and...

6.1CVSS0.3AI score0.02111EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2012/01/03 3:5 a.m.49 views

Upgrade Tomcat to latest minor version

See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...

0.8AI score
Exploits5Affected Software1
Atlassian
Atlassian
added 2024/05/16 4:11 a.m.48 views

SQLi (SQL Injection) org.postgresql:postgresql Dependency in Confluence Data Center and Server

This Critical severity org.postgresql:postgresql Dependency vulnerability was introduced in versions 6.0.1 of Confluence Data Center and Server. Confluence Data Center is unaffected by this vulnerability as it does not use the PreferQueryMode=SIMPLE parameter required for this vulnerability in it...

10CVSS9.7AI score0.0481EPSS
Exploits0
Atlassian
Atlassian
added 2024/05/13 10:10 a.m.48 views

RCE (Remote Code Execution) org.eclipse.jgit:org.eclipse.jgit Dependency in Bamboo Data Center and Server

This High severity org.eclipse.jgit:org.eclipse.jgit Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server. The latest LTS Bamboo 9.6.0 is not impacted by this Vulnerability. This org.eclipse.jgit:org.eclipse.jgit...

8.8CVSS7.3AI score0.01884EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/03 8:56 a.m.48 views

Bitbucket Data Center is affected by CVE-2024-25710

h3. Issue Summary Bitbucket is affected by CVE-2024-25710|https://nvd.nist.gov/vuln/detail/CVE-2024-25710 The affected file /app/WEB-INF/lib/commons-compress-1.21.jar h3. Steps to Reproduce N/A h3. Expected Results N/A h3. Actual Results N/A h3. Workaround Currently, there is no known workaround...

8.1CVSS6.5AI score0.00441EPSS
Exploits0
Total number of security vulnerabilities4295