Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2015/01/09 12:26 a.m.52 views

OGNL Double Evaluation Vulnerability

We have discovered and fixed a vulnerability in our fork of one of Apache Struts libraries. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Bamboo web interface. All versions of Bamboo up t...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/24 4:42 a.m.52 views

CVE-2013-4590 vulnerability with Tomcat 7.0.42 shipped with Crowd 2.7.2

Crowd 2.7.2 is shipped with Tomcat 7.0.42, which is susceptible to CVE-2013-4590|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4590 h3.Workaround Deploy Crowd WAR instead, with Tomcat 7.0.50 or above. Instructions here:...

4.3CVSS0.2AI score0.09487EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2013/03/08 2:27 a.m.52 views

XSS vulnerabilty in JIRA Misc Workflow Extensions

There is a XSS vulnerability in the JIRA Misc Workflow Extensions plugin on the "Add Parameters To Validator" page. Validators / Add / Comment Required Validator The group names are not escaped and allow execution of Javascript. Affects: JIRA Misc Workflow Extensions 2.5.5.1...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/07/15 12:33 a.m.52 views

Enable Web Sudo to work with other single-sign-on solutions

Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/03/07 2:45 a.m.51 views

DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Confluence Data Center and Server

This High severity org.eclipse.jetty:jetty-http Dependency vulnerability was introduced in versions 5.3 of Confluence Data Center and Server. This org.eclipse.jetty:jetty-http Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allo...

7.5CVSS7.3AI score0.03754EPSS
Exploits1
Atlassian
Atlassian
added 2024/02/14 10:47 a.m.51 views

RCE (Remote Code Execution) org.apache.xmlgraphics:batik-script Dependency in Jira Software Data Center and Server

This High severity org.apache.xmlgraphics:batik-script Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This org.apache.xmlgraphics:batik-script Dependency vulnerability, with a...

7.5CVSS7.3AI score0.0232EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/15 1:2 p.m.51 views

Woodstox Vulnerability in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.2.1 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS7.2AI score0.19653EPSS
Exploits1
Atlassian
Atlassian
added 2024/01/09 5:46 a.m.51 views

DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server

This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 7.21.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 of Bitbucket Data Center and Server. This org.xerial.snappy:snappy-java Dependency vulnerability, with a CVSS Score of 7.5...

7.5CVSS6.6AI score0.0104EPSS
Exploits1
Atlassian
Atlassian
added 2024/01/03 8:47 a.m.51 views

Confluence 8.7.1 is using a vulnerable library - spring-web-5.3.30

h3. Issue Summary CVE - CVE-2016-1000027 Advisory URL - https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 h3. Steps to Reproduce Build confluence to find the vulnerable artifact h3. Expected Results Vulnerable library is fixed h3. Actual Results Vulnerable library found at -...

9.8CVSS7.1AI score0.32257EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2022/07/04 12:4 a.m.51 views

UPM: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary UPM is currently using underscore.js 1.4.4. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variabl...

7.2CVSS2AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2022/03/23 12:59 a.m.51 views

Authentication Bypass in Jira Seraph - CVE-2022-0540

i Updates 2022/05/05 11:30 AM PDT Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available: Secure Code Warrior® for Jira Simple Tasklists Simple Team Pages for Jira UiPath Test Manager for Jira Xporter - Export issues from...

9.8CVSS2.6AI score0.88057EPSS
Exploits2
Atlassian
Atlassian
added 2021/01/07 5:7 p.m.51 views

RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955

There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system...

10CVSS5.3AI score0.82715EPSS
Exploits14Affected Software1
Atlassian
Atlassian
added 2020/11/18 9:48 p.m.51 views

A user-supplied regex in EyeQL causes ReDoS - CVE-2020-14190

Affected version of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions: 4.8.4 4.9.0...

7.5CVSS7.3AI score0.01212EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/09/23 5:14 p.m.51 views

Embedded Crowd passes sensitive paramaters in the URL when adding a new or editing an existing user directory.

h3. Issue Summary While adding a new directory or editing an existing one the embedded crowd passes directoryId, xsrfTokenName and xsrfTokenValue parameters to the URL. h3. Environment Bitbucket 6.9.X, 7.4.X, 7.5.X, 7.6.X h3. Steps to Reproduce In Bitbucket navigate to Gear Icon User Directories;...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/09/14 1:58 a.m.51 views

CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]

Atlassian Confluence Server and Data Center is not affected by CVE-2019-0230 Apache Struts Potential Remote Code Execution Vulnerability...

9.8CVSS4.5AI score0.97399EPSS
Exploits15
Atlassian
Atlassian
added 2020/06/23 4:27 p.m.51 views

SSRF in Webhooks - CVE-2020-14170

Affected versions of Atlassian Bitbucket Server allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery SSRF vulnerability in Webhooks. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that...

4.3CVSS5.7AI score0.00829EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/18 2:44 a.m.51 views

Man-in-the-middle in Jira email client - CVE-2020-14168

The email client in Jira Server and Data Center allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle MITM vulnerability Affected versions: version 7.13.14 8.5.0 ≤ version 8.5.5 8.8.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed version...

5.9CVSS6.6AI score0.0168EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/18 4:4 p.m.51 views

Opening 404 page (page not found) without user session will open 404 page instead of opening login page.

h3. Issue Summary Opening a random page on Crowd with a user that is not authenticated will display "Page not found" 404 page instead of the login page. h3. Steps to Reproduce Make sure you are not logged in. Try to open BaseURL/ABC h3. Expected Results As you do not have session information you...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/11 3:21 a.m.51 views

Authorization bypass allows information disclosure - CVE-2019-15003

h3. Authorization bypass allows information disclosure - CVE-2019-15003 h4. Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels|https://www.atlassian.com/security/security-severity-levels. The scale allow...

7.5CVSS1.7AI score0.03907EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/01 5:11 a.m.51 views

Update jQuery to address CVE-2019-11358

The version of jQuery used in Jira before 8.2.3 was vulnerable to CVE-2019-11358. This issue was addressed by updating Jira server to use a patched & custom version of jQuery 2.2.4.7...

6.1CVSS2.9AI score0.87218EPSS
Exploits4
Atlassian
Atlassian
added 2018/02/02 12:11 a.m.51 views

Argument injection in the download commit resource through the at parameter - CVE-2017-18087

The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them...

8.8CVSS8.8AI score0.77823EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2017/08/08 10:58 p.m.51 views

Granting Current Assignee to the Administer Project permissions will allow user to view all Projects

h3. Summary Granting Current Assignee to the Administer Project permissions will allow users to see ALL Projects that are assigned to that Permission Scheme. You can see the projects even if the user does not have any assigned issues in the project or even if the user is not listed as...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/07 12:32 a.m.51 views

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

8.8CVSS1.3AI score0.00666EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/04 1:6 p.m.51 views

Workbox Plugin loads full HTML of JIRA comment, leads to GC loop of death on large comment

To reproduce: start Confluence with GC logging enabled optional, but helps Link Confluence and JIRA create an issue in JIRA watch it add a large comment to the JIRA issue, e.g. paste a 7.7MB log file between \code\ tags open the workbox in Confluence optional: in network tab of web developer tool...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/05/12 7:34 a.m.51 views

Update the version of commons-httpclient to address CVE-2012-5783 & CVE-2014-3577 and gain SNI support

Upgrade commons-httpclient to version 3.1-atlassian-2 to gain SNI support and to fix CVE-2012-5783 & CVE-2014-3577...

7.6AI score
Exploits0
Atlassian
Atlassian
added 2025/04/01 10:57 p.m.50 views

XXE (XML External Entity Injection) in Jira Core Data Center and Server and Jira Software Server

This High severity XXE XML External Entity Injection vulnerability was introduced in version 9.12.0 of Jira Core Data Center and Server and Jira Software Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.7, allows an attacker to access local and remote content...

7.5CVSS6.5AI score0.19442EPSS
Exploits1
Atlassian
Atlassian
added 2024/06/12 6:10 p.m.50 views

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N...

7.9AI score
Exploits0
Atlassian
Atlassian
added 2024/04/18 1:10 a.m.50 views

Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, and 9.15.0 of Jira Software Data Center and Server. This...

8.2CVSS6.7AI score0.00948EPSS
Exploits0
Atlassian
Atlassian
added 2023/09/07 2:1 a.m.50 views

Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 8.1.12 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with CVSS Scores of 7.5, and CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an attacker to expose assets in yo...

7.5CVSS6.5AI score0.46836EPSS
Exploits1
Atlassian
Atlassian
added 2022/04/20 8:14 p.m.50 views

Reflected XSS on /secure/TeamManagement.jspa via "planUrl" parameter - CVE-2022-36801

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting RXSS vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8. Affected versions:...

6.1CVSS5.8AI score0.64863EPSS
Exploits0
Atlassian
Atlassian
added 2021/12/22 3:16 a.m.50 views

Import source configuration information is leaked via the Insight Import Source feature - CVE-2021-43950

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature. The affected versions are before version 4.21.0...

4.3CVSS4.6AI score0.00845EPSS
Exploits0
Atlassian
Atlassian
added 2021/12/22 3:14 a.m.50 views

An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are before version 4.21.0. Affected versions: version 4.21.0 Fix...

4.3CVSS6.3AI score0.00809EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/25 1:26 a.m.50 views

Non-administrators can edit the File Replication settings - CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...

6.5CVSS5.5AI score0.00981EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/22 4:54 a.m.50 views

Persistent XSS through Team Calendar in Confluence Server - CVE-2020-29444

Affected versions of Team Calendar in Confluence Server allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting vulnerability in admin global setting parameters. h3. Affected versions: 7.11.0 h3. Fixed version: 7.11.0 This vulnerability is attributed to Stefano...

5.4CVSS3AI score0.00928EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/07/01 6:16 p.m.50 views

Information disclosure in API and Integrations - CVE-2020-14180

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. Affected versions:...

4.3CVSS5.8AI score0.00848EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/23 1:36 a.m.50 views

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Jira Server and Data Center before version 7.13.12, from version 8.0.0 before version 8.5.4 and from version 8.6.0 before version 8.6.1 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an...

4.9CVSS5.1AI score0.01487EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 3:19 a.m.50 views

Jira on Windows was vulnerable to DLL hijacking - CVE-2019-20400

The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability. h3. Acknowledgment We would like to thank Peleg Hadar of SafeBreach Labs for...

7.8CVSS4.7AI score0.00367EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:44 a.m.50 views

SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF vulnerability due to a logic bug in the JiraWhitelist class. Important Note: The patch is deployed in f...

6.5CVSS6.5AI score0.94453EPSS
Exploits2
Atlassian
Atlassian
added 2019/04/29 3:8 a.m.50 views

XSS in the activity stream gadget via the country parameter - CVE-2018-20827

The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the country parameter...

5.4CVSS4.9AI score0.00756EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/12/20 2:41 p.m.50 views

Sprint End Date in a distant future causes OutOfMemoryError

h3. Summary Jira Software REST API /rest/agile/1.0/sprint/ is allowing to enter a date in the future, much higher than what is allowed by the UI . That causes Jira to hit OutOfMemoryError when loading a board based on a sprint having a big number of years as "End Date" due to excessive object...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/10 9:22 a.m.50 views

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

h4. Open redirect in default servlet CVE-2018-11784|https://access.redhat.com/security/cve/cve-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory e.g. redirecting to '/foo/' when the user...

4.3CVSS3.6AI score0.94494EPSS
Exploits3
Atlassian
Atlassian
added 2018/07/12 9:35 a.m.50 views

Non Calendar Creator can see the Username and Password Fields to a Calendar subscribed from URL

h3. Summary Non Calendar Creator can see the Username and Password Fields to a Calendar subscribed from URL h3. Environment Confluence 6.7.2 Team Calendar 6.0.17 h3. Steps to Reproduce Login as UserA Calendar Creator Create a new Calendar with the Subscribe by URL option Subscribe to any external...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/05 4:34 p.m.50 views

Users with the same name as an inactive user in a higher priority directory get all that users memberships

h3. Summary In embedded Crowd in at least JIRA and Confluence, when a user is made inactive but retains its groups, then if a lower priority directory has a new user created with the same name, it now inherits their memberships. It seems like the logic used to determine the user authentication by...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/13 7:48 p.m.50 views

SourceTree 7za Vulnerability.

SourceTree Version 1.8.3 installs a 7za.exe C:\Program Files x86\Atlassian\SourceTree\tools\7za.exe in Version 9.20, which has known vulnerabilities: CVE-2016-2334 CVE-2016-2335 More information about the vulnerabilities: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html...

9.3CVSS1.7AI score0.14742EPSS
Exploits5Affected Software1
Atlassian
Atlassian
added 2016/05/27 4:0 a.m.50 views

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

5.4CVSS2.2AI score0.0071EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/19 9:30 a.m.50 views

Upgrade bundled Tomcat to the latest minor release

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-33563. panel Customer did a Security Scan on the instance and founded the version 5.1.8 that he is using subjected to security vulnerabiliti...

5CVSS7.2AI score0.11975EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.49 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVS...

7.5CVSS6.3AI score0.0043EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/11 7:10 a.m.49 views

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Crowd Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8AI score
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:51 a.m.49 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8.1CVSS7AI score0.09346EPSS
Exploits1
Atlassian
Atlassian
added 2024/02/15 4:33 a.m.49 views

Stored XSS in Confluence Data Center

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to...

8.5CVSS6.2AI score0.00471EPSS
Exploits0
Total number of security vulnerabilities4295