Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/11/19 12:25 a.m.39 views

Information disclosure of product SEN via the x-asen response header - CVE-2020-14192

Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions:...

4.3CVSS4.6AI score0.00868EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/03 10:42 p.m.39 views

Unvalidated redirects in UPM via reverse tabnapping

Affected versions of Atlassian Jira Server and Data Center allow an authenticated attacker to redirect a user to a malicious website via an unvalidated redirect vulnerability in some Universal Plugin Manager pages, e.g. "Manage apps" and "Find new apps". Affected versions: version 7.13.16 7.14.0 ...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/23 4:39 p.m.39 views

MITM in Repository Import - CVE-2020-14171

Affected versions of Atlassian Bitbucket Server allow remote attackers to intercept unencrypted repository import requests via Man-in-the-Middle MITM attack. Affected versions: 4.9.0 = version 7.2.4 Fixed versions: 7.2.4 7.3.0...

6.5CVSS6.8AI score0.00558EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/23 4:27 p.m.39 views

SSRF in Webhooks - CVE-2020-14170

Affected versions of Atlassian Bitbucket Server allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery SSRF vulnerability in Webhooks. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that...

4.3CVSS5.7AI score0.00829EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/20 6:2 a.m.39 views

Improper authorization on /rest/project-templates/1.0/createshared endpoint - CVE-2020-4029

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project names via an improper authorization vulnerability in the /rest/project-templates/1.0/createshared endpoint API endpoint. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 8.8.0 ≤ version...

4.3CVSS7.8AI score0.01448EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/12 8:1 p.m.39 views

Improper Authorization in Bitbucket Server through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Bitbucket Server & Bitbucket Data Center before version 6.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing...

4.3CVSS3.6AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:48 a.m.39 views

The ViewLogging class exposed various resources that were vulnerable to CSRF - CVE-2019-11587

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery CSRF...

6.5CVSS5.9AI score0.00799EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:20 a.m.39 views

CSRF in the ServiceExecutor resource - CVE-2019-8447

The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery CSRF vulnerability...

4.3CVSS7AI score0.00679EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 11:36 p.m.39 views

Upgrade Xstream to address CVE-2016-3674

The bundled version of XStream in Crucible before version 4.7.1 was vulnerable to CVE-2016-3674 https://nvd.nist.gov/vuln/detail/CVE-2016-3674...

7.5CVSS1.7AI score0.08179EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 11:17 p.m.39 views

XSS in various types of nested wiki markup - CVE-2017-18102

The bundled version of atlassian-renderer in Crucible before version 4.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently restricted to...

5.4CVSS3.5AI score0.00921EPSS
Exploits0
Atlassian
Atlassian
added 2019/03/31 9:40 p.m.39 views

Confluence - Path traversal vulnerability - CVE-2019-3398

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this pat...

9CVSS3.7AI score0.97153EPSS
Exploits10
Atlassian
Atlassian
added 2019/02/14 9:59 p.m.39 views

Crucible had a vulnerable version of Apache Commons FileUpload - CVE-2016-1000031

The DiskFileItem class from the Apache Commons FileUpload library before version 1.3.3 was vulnerable to CVE-2016-1000031. Atlassian Crucible was using a vulnerable version of this library, although not the DiskFileItem class. Crucible has been updated to use the safe version of the Apache...

9.8CVSS4.3AI score0.34731EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/14 9:19 p.m.39 views

Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240

The administrative linker functionality in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the href parameter...

4.8CVSS4.6AI score0.00889EPSS
Exploits0
Atlassian
Atlassian
added 2019/02/14 8:39 p.m.39 views

XSS in edit upload for a review through the wbuser parameter - CVE-2018-20241

The Edit upload resource for a review in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the wbuser parameter...

5.4CVSS4AI score0.00904EPSS
Exploits0
Atlassian
Atlassian
added 2019/01/29 1:26 a.m.39 views

Download a deleted page via word export - CVE-2018-20237

Atlassian Confluence Server from version 6.12.0 or earlier, and before version 6.13.1, or before version 6.14.0 allows an authenticated user to download a deleted page via the word export feature...

6.5CVSS4.4AI score0.01737EPSS
Exploits0
Atlassian
Atlassian
added 2019/01/23 7:19 p.m.40 views

Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235

There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. h4. Affected...

9CVSS3.9AI score0.06686EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/28 4:38 a.m.39 views

Remote Code Execution in Sourcetree for Windows, via Mercurial repo with Git subrepo - CVE-2018-13397

There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to ga...

9CVSS5.9AI score0.02112EPSS
Exploits1
Atlassian
Atlassian
added 2014/06/06 7:21 a.m.39 views

Cannot create page/s using "Create Page" Button

We are a large corporation currently in the process of rolling out a complete Atlassian Toolchain Jira, Confluence, Bamboo, Stash within the next 4 weeks. Unfortunately in Confluence, we cannot use the "Create Page" Button, as we get the following issue regardless of when this is done or by whom:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/04 3:37 p.m.39 views

Crowd User Directory application password stored in plain text

Table: cwddirectoryattribute Column: attributevalue How to Verify in my environment: Connect to JIRA database using psql and run query: code select attributevalue from cwddirectoryattribute where attributename = 'application.password' code Note how the returned value is the plain text value of th...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/02/20 12:35 p.m.39 views

Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-37117. panel If in your permission schema, you grant Browse Project permission to "User Custom Field Value", the project is visible to all...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/12/05 9:38 a.m.39 views

XSS vulnerability in 'Share a link' blueprint

Open the Create dialog - Select "Share a Link" article - In the 'Topics' field, enter an attack string such as: alert"hello" =The script will be executed...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/08 1:5 p.m.39 views

Several XSS flaws in the /rest/tinymce/1

I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/23 2:4 p.m.39 views

Different IE browser windows have different sessions and different session timeout timing

One of our user reported the following: ---- I discovered the reason why JIRA sometimes closes my IE session, it depends on the way you login: 1 When you login via navigation to your home page http://support/jira/secure/Dashboard.jspa all is ok, multiple JIRA sessions never expire. 2 When you log...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/11/14 6:28 a.m.38 views

Path Traversal Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-38819

This High severity vulnerability known as CVE-2024-38819 was introduced in 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6 of Bitbucket Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Atlassian recommends...

7.5CVSS6.8AI score0.54862EPSS
Exploits6
Atlassian
Atlassian
added 2024/11/13 6:59 a.m.38 views

CVE-2024-38819: Path traversal vulnerability in org.springframework:spring-webmvc used by Confluence Data Center

h3. Issue Summary Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the...

7.5CVSS6.6AI score0.54862EPSS
Exploits6
Atlassian
Atlassian
added 2024/11/06 10:31 p.m.38 views

XSS (Cross Site Scripting) DOMPurify Dependency in Jira Core Data Center and Server

|Please see our updated fixed version guidance for this CVE, as the fix issued in our November 2024 Security Bulletin was incomplete. This vulnerability has now been mitigated in Jira Software and the correct fixed versions have been added to this ticket. We apologize for any inconvenience our...

7.3CVSS7.7AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2024/08/15 1:36 a.m.38 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 5.4.0, 5.12.0, 5.15.0, 5.16.0, and 5.17.0 of Jira Service Management Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS...

7.5CVSS6.8AI score0.04602EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:53 a.m.38 views

Security Misconfiguration org.eclipse.jetty:jetty-server Dependency in Crowd Data Center and Server

This High severity org.eclipse.jetty:jetty-server Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.eclipse.jetty:jetty-server Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.2AI score0.06411EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:51 a.m.38 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8.8CVSS7AI score0.05018EPSS
Exploits2
Atlassian
Atlassian
added 2024/04/09 1:51 a.m.38 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of...

8.8CVSS7AI score0.03583EPSS
Exploits0
Atlassian
Atlassian
added 2024/03/15 9:50 a.m.38 views

Jira redirects the users back to the login page when SSO is used with Crowd

h3. Issue Summary Jira redirects the users back to the login page when SSO is used with Crowd when SSOSeraphAuthenticator is enabled in the seraph-config.xml. It works fine when Crowd is not used when JiraSeraphAuthenticator is enabled. This is reproducible on Data Center: Yes h3. Steps to...

7.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/02/14 10:46 a.m.38 views

DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Jira Software Data Center and Server

This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. This org.xerial.snappy:snappy-java...

7.5CVSS9.9AI score0.01707EPSS
Exploits1
Atlassian
Atlassian
added 2024/01/11 7:45 a.m.38 views

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

This High severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in all versions of Crowd Data Center and Server before 5.0.10, 5.1.8 and 5.2.3. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.02651EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/12 1:45 p.m.38 views

DoS (Denial of Service) jackson-databind in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2022/07/15 9:53 a.m.38 views

The JSM Mail Handler functionality creates tickets from incoming emails in wrong projects

h3. Issue Summary When multiple Jira Service Management JSM projects are configured with a Mail Handler|https://confluence.atlassian.com/servicemanagementserver/receiving-requests-by-email-939926303.html via Project Settings Email Requests, the following issue happens: - the JSM Mail Handler...

0.3AI score
Exploits0
Atlassian
Atlassian
added 2021/11/30 6:48 p.m.38 views

Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting XSS vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting...

6.1CVSS3.7AI score0.55364EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.38 views

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

7.5CVSS5.8AI score0.01621EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/29 2:59 p.m.38 views

Replaying / intercepting a password reset POST request can allow for valid username enumeration

h3. Issue Summary Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests. h3. Steps to Reproduce Request a password reset email Open the password reset mail and click the link to open your browser Intercept the POST request of the...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/17 1:5 p.m.38 views

Anonymous user can view private project and filter names via IDOR in Average Number of Times in Status Gadget - CVE-2021-41305

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References IDOR vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version...

7.5CVSS5.6AI score0.0117EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.38 views

Access-revoked user can enable/disable Issue Collectors on a Jira project - CVE-2021-41312

Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors...

7.5CVSS7.1AI score0.01173EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.38 views

Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

7.5CVSS6.4AI score0.00836EPSS
Exploits0
Atlassian
Atlassian
added 2021/08/18 1:0 a.m.38 views

Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE-2021-39121

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from...

4.3CVSS5.2AI score0.01141EPSS
Exploits0
Atlassian
Atlassian
added 2021/06/14 8:11 p.m.38 views

Upgrade bundled Java to 8u292+

Currently our latest available Jira version includes AdoptOpenJDK 1.8.0275, which does not include a fix for the following vulnerabilities: https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20 It affects AdoptOpenJDK up to 1.8.0282, so we should bundle Jira with AdoptOpenJDK 1.8.02...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/07 6:10 a.m.38 views

Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version...

5.3CVSS5.2AI score0.01401EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/16 12:44 a.m.38 views

Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233

h3. Issue Summary Atlassian Bitbucket on Windows fails to properly set ACLs on its installation directory. Because Bitbucket installs High-privileged services, this allows for multiple privilege escalation vulnerability possibilities. h3. Affected Versions The following versions are only affected...

7.8CVSS5.8AI score0.00265EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/20 2:33 a.m.38 views

Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability BAC vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS5.4AI score0.01272EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/26 5:44 a.m.38 views

Template injection vulnerability in Automation for Jira smart values - CVE-2020-14193

Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & /jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The affected versions are thos...

5.5CVSS5.7AI score0.0077EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:18 a.m.38 views

DoS vulnerability in MessageBundleResource - CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed...

7.5CVSS6.8AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/03 10:38 p.m.38 views

Regex DoS via JQL version searching - CVE-2020-14177

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service DoS vulnerability in JQL version searching. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.7 8.6.0 ≤ version 8.10.2 8.11.0 ≤ versi...

6.5CVSS6.4AI score0.02233EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/29 5:18 a.m.38 views

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

5.4CVSS5.2AI score0.00926EPSS
Exploits0
Total number of security vulnerabilities4295