Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2023/12/14 2:45 p.m.38 views

Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server

This High severity org.codehaus.plexus:plexus-utils Dependency vulnerability was introduced in versions 9.2.1 of Bamboo Data Center and Server. This org.codehaus.plexus:plexus-utils Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:...

7.5CVSS6.6AI score0.01347EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/22 2:44 a.m.38 views

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 4.20.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.4AI score0.02114EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/12 1:45 p.m.38 views

DoS (Denial of Service) jackson-databind in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2022/07/15 9:53 a.m.38 views

The JSM Mail Handler functionality creates tickets from incoming emails in wrong projects

h3. Issue Summary When multiple Jira Service Management JSM projects are configured with a Mail Handler|https://confluence.atlassian.com/servicemanagementserver/receiving-requests-by-email-939926303.html via Project Settings Email Requests, the following issue happens: - the JSM Mail Handler...

0.3AI score
Exploits0
Atlassian
Atlassian
added 2021/11/30 6:48 p.m.38 views

Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting XSS vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting...

6.1CVSS3.7AI score0.55364EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/17 1:5 p.m.38 views

Anonymous user can view private project and filter names via IDOR in Average Number of Times in Status Gadget - CVE-2021-41305

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References IDOR vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version...

7.5CVSS5.6AI score0.0117EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.38 views

Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

7.5CVSS6.4AI score0.00836EPSS
Exploits0
Atlassian
Atlassian
added 2021/08/18 1:0 a.m.38 views

Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE-2021-39121

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from...

4.3CVSS5.2AI score0.01141EPSS
Exploits0
Atlassian
Atlassian
added 2021/04/07 6:10 a.m.38 views

Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version...

5.3CVSS5.2AI score0.01401EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/16 12:44 a.m.38 views

Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233

h3. Issue Summary Atlassian Bitbucket on Windows fails to properly set ACLs on its installation directory. Because Bitbucket installs High-privileged services, this allows for multiple privilege escalation vulnerability possibilities. h3. Affected Versions The following versions are only affected...

7.8CVSS5.8AI score0.00265EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/20 2:33 a.m.38 views

Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability BAC vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS5.4AI score0.01272EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:18 a.m.38 views

DoS vulnerability in MessageBundleResource - CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed...

7.5CVSS6.8AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/03 10:38 p.m.38 views

Regex DoS via JQL version searching - CVE-2020-14177

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service DoS vulnerability in JQL version searching. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.7 8.6.0 ≤ version 8.10.2 8.11.0 ≤ versi...

6.5CVSS6.4AI score0.02233EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/29 5:18 a.m.38 views

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

5.4CVSS5.2AI score0.00926EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:25 a.m.38 views

Network enumeration via CSRF in Applinks endpoint

The Applinks endpoint in Atlassian Jira Server and Data Center in affected versions allows remote attackers to enumerate local network resources via a cross-site request forgery CSRF vulnerability. Affected versions: version 8.5.4 8.6.0 ≤ version 8.7.0 Fixed versions: 8.5.4 8.7.0...

4.7CVSS6.7AI score0.01021EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/12/16 10:14 p.m.38 views

Improper authorization check in the WorkflowResource class removeStatus method - CVE-2019-15013

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a projec...

4.3CVSS6.1AI score0.0121EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:19 p.m.38 views

Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email...

4.3CVSS3.6AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/25 9:43 p.m.38 views

Improper Authorization in Confluence Server through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was bundled in Confluence Server & Confluence Data Center before version 7.0.1, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a...

4.3CVSS3.5AI score0.01334EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/09 1:22 a.m.38 views

Template injection in Jira importers plugin - CVE-2019-15001

h3. Issue Summary There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin JIM. An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on...

9CVSS3AI score0.11366EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/12 3:26 a.m.38 views

User enumeration in the login.jsp resource - CVE-2019-8448

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01809EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/09 2:43 a.m.38 views

Update Application links to ensure that a version of jackson-databind containing a fix for CVE-2018-14721 is used

The version of the Atlassian Application links plugin used in Fisheye before version 4.7.1 contained a version of jackson-databind that was vulnerable to CVE-2018-14721...

10CVSS3AI score0.10458EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/09 2:28 a.m.38 views

Update the bundled version of OWASP AntiSamy to address issues

The bundled version of OWASP AntiSamy in Fisheye before version 4.7.1 was vulnerable to CVE-2017-14735 https://nvd.nist.gov/vuln/detail/CVE-2017-14735 and CVE-2016-10006 https://nvd.nist.gov/vuln/detail/CVE-2016-10006...

1.9AI score
Exploits0
Atlassian
Atlassian
added 2019/07/08 11:7 p.m.38 views

XSS in various types of nested wiki markup - CVE-2017-18102

The bundled version of atlassian-renderer in Fisheye before version 4.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently restricted to...

5.4CVSS5.1AI score0.00921EPSS
Exploits0
Atlassian
Atlassian
added 2019/02/14 7:4 p.m.38 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details...

5.4CVSS3.7AI score0.03401EPSS
Exploits0
Atlassian
Atlassian
added 2019/01/23 10:17 p.m.38 views

Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236

There was an command injection vulnerability in Sourcetree for Windows via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system. h4. Affected versions: Versions of Sourcetree for Windows befo...

9.3CVSS4.6AI score0.0644EPSS
Exploits0
Atlassian
Atlassian
added 2018/12/03 2:58 a.m.38 views

The VerifyPopServerConnection resource was vulnerable to SSRF - CVE-2018-13404

The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from...

4.1CVSS2.5AI score0.01142EPSS
Exploits0
Atlassian
Atlassian
added 2018/11/12 5:12 p.m.38 views

Security clean up /plugins/servlet/Wallboard.old 200 response

A low risk Path-Based Vulnerability exists at /plugins/servlet/Wallboard.old. Stylesheets and basic html page load for page that should not exist/deprecated...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/28 12:36 a.m.38 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0
Atlassian
Atlassian
added 2018/03/22 5:48 a.m.38 views

XSS through header injection in the /browse/~raw resource - CVE-2018-5228

The /browse/raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the handling of response headers...

6.1CVSS4.4AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2017/07/17 7:43 a.m.38 views

XSS in review dashboard through a custom filter title - CVE-2017-9507

The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the review filter title parameter...

5.4CVSS4.1AI score0.00818EPSS
Exploits0
Atlassian
Atlassian
added 2017/02/07 3:22 p.m.38 views

Service Desk mail handler create comments in other JIRA issues if subject have valid issues keys

h3. Summary Service Desk mail handler create comments in other JIRA issues if email subject have valid issues keys of issues from other JIRA Projects. h3. Environment Cloud h3. Steps to Reproduce Create a SD project Setup the mail handler Create another project and create an issue on it. Send an...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/28 4:54 a.m.38 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect JIRA...

8.1CVSS2.7AI score0.00509EPSS
Exploits0
Atlassian
Atlassian
added 2016/05/31 3:21 a.m.38 views

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/05/27 4:0 a.m.38 views

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

5.4CVSS2.2AI score0.0071EPSS
Exploits0
Atlassian
Atlassian
added 2014/07/19 3:14 p.m.38 views

REST API allows to get worklog from issue without access rights to that issue

On JIRA OnDemand v6.3-OD-08-005-WN also here! it's possible to get worklog by it's ID even if this worklog does not belong to issue passed in API url. Example: On our OnDemand instance I have access rights to . When I add worklog to this issue via REST API, I get its id . Now, when I call GET...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/11 7:42 a.m.38 views

disable XSRF check property has no effect on REST API

When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page|https://developer.atlassian.com/display/JIRADEV/Form+Token+Handling, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try som...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/10/24 12:58 a.m.38 views

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/07 4:57 a.m.38 views

The application should return caching directives instructing browsers not to store local copies of any sensitive data.

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29625. panel We want to control the server's caching directives from within individual scripts. We have identified following locations, where...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/07 1:44 a.m.38 views

Moving an issue from a project with Issue Security to a project without does not clear out the security

To reproduce this issue, do the following: Create Project AAA Create Project BBB Create an Issue Level Security Scheme, and assign it to AAA only Create a Clone of the Default Field Configuration Scheme. Hide the field Security Level on the Cloned copy. Assign the Cloned copy to BBB. Create a New...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/12/14 1:22 a.m.38 views

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/05/07 9:54 a.m.37 views

Memory leak while accessing <base-url>label/<labelname> (label search) on objects created in io.micrometer.core.instrument.ImmutableTag

h3. Issue Summary Memory leak while accessing label/ label search on objects created in io.micrometer.core.instrument.ImmutableTag This is reproducible on the Data Center: yes h3. Steps to Reproduce Use the following script to search randomly for labels code:java while : do curl...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/02/14 8:12 a.m.37 views

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in version 6.10 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS7.5AI score0.43663EPSS
Exploits13
Atlassian
Atlassian
added 2024/08/14 12:24 a.m.37 views

DoS (Denial of Service) org.clojure:clojure Dependency in Confluence Data Center and Server

This High severity org.clojure:clojure Dependency vulnerability was introduced in versions 6.0.0 of Confluence Data Center and Server. This org.clojure:clojure Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.7AI score0.01533EPSS
Exploits1
Atlassian
Atlassian
added 2024/01/17 6:46 a.m.37 views

DoS (Denial of Service) ch.qos.logback:logback-classic Dependency in Confluence Data Center and Server

This High severity ch.qos.logback:logback-classic Dependency vulnerability was introduced in versions 6.0.1 of Confluence Data Center and Server. This ch.qos.logback:logback-classic Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...

7.5CVSS7.1AI score0.00682EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/15 6:52 a.m.37 views

RCE (Remote Code Execution) in Confluence Data Center and Server

This High severity Remote Code Execution RCE vulnerability was introduced in version 2.1 of Confluence Data Center and Server. Remote Code Execution RCE vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to...

8.8CVSS7.8AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/09 5:45 a.m.37 views

DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server

This High severity ch.qos.logback:logback-core Dependency vulnerability was introduced in versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 of Bitbucket Data Center and Server. This ch.qos.logback:logback-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.009EPSS
Exploits0
Atlassian
Atlassian
added 2023/12/14 2:45 p.m.37 views

RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server

This High severity com.h2database:h2 Dependency vulnerability was introduced in versions 9.1.0, 9.2.1, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This com.h2database:h2 Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H...

8.8CVSS7.8AI score0.34986EPSS
Exploits2
Atlassian
Atlassian
added 2023/10/30 2:10 p.m.37 views

Help links not using security attributes

h3. Issue Summary Links to documentation use the anchor tag attribute target="blank" without using rel="noopener noreferrer". Best practice is to include rel="noopener noreferrer" on any link opened with target="blank" We've had some customers report that this is triggering automated security...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/15 6:15 a.m.37 views

Anonymous users can access the /rest/whitelist/<version>/check resource - CVE-2019-20101

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist//check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. Affected...

5.3CVSS5.3AI score0.01375EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/08 1:49 a.m.37 views

An admin can downgrade or remove a group with sys admin privilege

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

5.2AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295