4295 matches found
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server
This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of...
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Dependency in Jira Software Data Center and Server
This High severity net.sourceforge.nekohtml:nekohtml Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, and 9.9.0 of Jira Software Data Center and Server. This net.sourceforge.nekohtml:nekohtml Dependency vulnerability, with a CVSS...
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
This High severity org.codehaus.jettison:jettison Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, and 9.8.0 of Jira Software Data Center and Server. This org.codehaus.jettison:jettison Dependency vulnerability, with a CVS...
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Jira Software Data Center and Server
This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. This org.xerial.snappy:snappy-java...
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Jira Software Data Center and Server
This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. This org.xerial.snappy:snappy-java...
DoS (Denial of Service) org.json:json Dependency in Jira Software Data Center and Server
This High severity org.json:json Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, and 9.9.0 of Jira Software Data Center and Server. This org.json:json Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS...
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server
This High severity org.eclipse.jetty:jetty-http Dependency vulnerability was introduced in versions 9.2.1, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This org.eclipse.jetty:jetty-http Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server
This High severity org.apache.santuario:xmlsec Dependency vulnerability was introduced in all versions of Crowd Data Center and Server before 5.2.2 This org.apache.santuario:xmlsec Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N...
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server
This High severity org.eclipse.jetty:jetty-http Dependency vulnerability was introduced in versions 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 of Bitbucket Data Center and Server. This org.eclipse.jetty:jetty-http Dependency vulnerability, with a CVSS Score of 7.5 and a CVS...
Json-smart Vulnerability in Jira Service Management Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 4.20.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, and 5.10.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990
h2. Summary of Vulnerability Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection atta...
Object import configuration details are leaked via the Create Object type mapping feature - CVE-2021-43951
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view object import configuration details via an Information Disclosure vulnerability in the Create Object type mapping feature. The affected versions are before version 4.21.0...
Upgrade Logback for CVE-2021-42550
h3. Issue Summary In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9. Please note: There is no RCE in Logback, and there is no vulnerabili...
Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239
h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...
Username enumeration on Jira Software Server 8.15 - CVE-2021-26081
Affected versions of Atlassian Jira Server and Jira Data Center allow remote attackers to discover the username of users via an enumeration vulnerability in the REST API. CVE-2021-26081 The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, from version 8.14.0 before...
JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720
Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind CVE-2018-14720. This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jir...
SSRF in Webhooks - CVE-2020-14170
Affected versions of Atlassian Bitbucket Data Center allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery SSRF vulnerability in Webhooks. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource...
Various Jira Server setup resources are vulnerable to XSRF/CSRF - CVE-2019-20401
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery CSRF vulnerabilities. Once a Jira instance is setup i.e. database, admin account, licence, etc. form ar...
Open redirect in startup.jsp - CVE-2019-11585
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect...
CSRF in the ServiceExecutor resource - CVE-2019-8447
The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery CSRF vulnerability...
Information disclosure in the /rest/api/2/user/picker rest resource - CVE-2019-3403
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check...
XSS in WallboardServlet through the cyclePeriod parameter - CVE-2018-20824
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the cyclePeriod parameter...
Upgrade bundled Java to 8u101+
Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect Confluence...
Update Java version bundled found in the installer to a version >= 1.8u51
Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...
Upgrade bundled Tomcat due to security vulnerabilities
There are some Tomcat security vulnerabilities reported against the bundled version 7.0.32: CVE-2013-2067|http://mail-archives.apache.org/modmbox/www-announce/201305.mbox/%[email protected]%3E...
Encrypt Database Password in dbconfig.xml or use integrated authentication
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-31004. panel panel:title=Atlassian Update – 5 January 2016|borderStyle=solid|borderColor=ebf2f9 | titleBGColor=ebf2f9 | bgColor=ffffff Hi...
XSS vulnerability in space key, particularly with decorators off
As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it. To exploit it, create a user with html in the login name, then create a...
Improper Authorization org.springframework.security:spring-security-core Dependency in Confluence Data Center and Server
This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.springframework.security:spring-security-core Dependency vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...
Bundled JRE in Bitbucket 8.16+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919
h3. Issue Summary Bitbucket 8.16 and above bundles OpenJDK 17.0.9 which is vulnerable as per OpenJDK advisory|https://openjdk.org/groups/vulnerability/advisories/2024-01-16. .The recommendation is to update Java to a version greater than 17.0.9 such as 17.0.10. - A vulnerability that allows an...
DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Jira Software Data Center and Server
This High severity software.amazon.ion:ion-java Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, and 9.14.0 of Jira Software Data Center and Server. This software.amazon.ion:ion-java Dependenc...
Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server
This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...
DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Bamboo Data Center and Server
This High severity software.amazon.ion:ion-java Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server. This software.amazon.ion:ion-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
This High severity org.codehaus.jettison:jettison Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, and 9.8.0 of Jira Software Data Center and Server. This org.codehaus.jettison:jettison Dependency vulnerability, with a CVS...
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Confluence Data Center and Server
This High severity org.apache.struts:struts2-core Dependency vulnerability was introduced in versions 1.0.1 of Confluence Data Center and Server. This org.apache.struts:struts2-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 7.21.0, 8.9.0 and 8.13.0 of Bitbucket Data Center and Server. This org.xerial.snappy:snappy-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server
This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 9.2.1, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allo...
SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server
This High severity org.apache.xmlgraphics:batik-bridge Dependency vulnerability was introduced in versions 4.20.0, 5.4.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, and 5.12.0 of Jira Service Management Data Center and Server. This org.apache.xmlgraphics:batik-bridge Dependency vulnerability, with a CV...
RCE (Remote Code Execution) in Crowd Data Center and Server
This High severity RCE Remote Code Execution vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality,...
DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Bamboo Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1 and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...
hutool-json Vulnerability in Bitbucket Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
FALSE POSITIVE - OpenSearch Vulnerability in Bitbucket Data Center and Server
Notice of FALSE POSITIVE After review, it has been determined that CVE-2022-41906 DOES NOT affect ANY version of Bitbucket Data Center or Bitbucket Server. We have updated our bulletin and Jira tickets to reflect this update. We have taken action to prevent this false-positive from appearing in o...
Third-Party Dependency Vulnerability in Jira Service Management Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in version 4.20.0 of Jira Service Management Data Center and Server. This vulnerability, with CVSS Scores of 7.5, and CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, allows an unauthenticated attacker to expose...
HSTS configuration not working in confluence 8.0.2
h3. Issue Summary This is reproducible on Data Center: Yes h3. Steps to Reproduce Configure confluence on SSL Follow KB -...
Crowd: Multiple Servlet Filter Vulnerabilities
Multiple Servlet Filter vulnerabilities have been fixed in Crowd Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...
Mobile web: upgrade Underscore.js to 1.13.1 or higher
h3. Issue Summary The mobile web view in Confluence is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template functio...
Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a ServerSide Template Injection vulnerability in the Email Template feature. The affected...
Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955)
A remote code exeecution vulnerability was recently discovered in Git LFS: https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html Vulnerable git clients that clone a malicious repository are vulnerable to remote code execution. Please determine if Bamboo is vulnerable. If it ...
Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)
Git LFS is vulnerable to remote code execution on Windows CVE-2021-21237: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix...
CSRF token theft through referrer headers - CVE-2021-39126
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery CSRF vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions a...
Git submodules vulnerability in Sourcetree for Mac - CVE-2020-5260
There was a vulnerability in Sourcetree for macOS and windows that could reveal Git user credentials via maliciously crafted URL by an attacker, This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL. Affected versions of Atlassi...