Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2007/11/22 6:20 a.m.29 views

Authenticating security providers fails due to ClassLoader bugs

If the Trusted Application feature is not working and the following is seen noformat WARN atlassian.seraph.filter.TrustedApplicationsFilter Failed to login trusted application: confluence1234567 due to: com.atlassian.security.auth.trustedapps.InvalidCertificateException:...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/17 5:54 p.m.29 views

Permissions at field level

I would like to be able to limit what users roles are able to modify individual fields. For example, I only want to allow particular people project managers to be able to select a fix version in an issue. However, it seems that any user who can edit an issue, including the reporter, can set the...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/06/14 8:55 a.m.29 views

CommentService validation methods do not check user's security level

The validateCommentUpdate, hasPermissionToUpdate and hasPermissionToDelete methods on DefaultCommentService check the user's comment-related permissions but neglect to check whether they have a role/group security level viewable by the user attempting to delete a comment...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/12/14 1:22 a.m.29 views

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/11/14 11:3 p.m.29 views

Encrypt all passwords stored on the file system

Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be. Resolve an encryption scheme for anything requiring security stored on the file system...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:30 p.m.28 views

DoS (Denial of Service) at org.apache.activemq dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS5.8AI score0.00896EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.28 views

Injection in Confluence Data Center

This High severity Injection vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N...

7.5CVSS5.8AI score0.00498EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.28 views

BASM (Broken Authentication & Session Management) in Confluence Data Center

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity BASM Broken Authentication & Session Management vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0,...

9.1CVSS5.8AI score0.00715EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/14 12:17 p.m.28 views

OS Command Injection in Bamboo Data Center - CVE-2026-21571

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of...

9.4CVSS6AI score0.0127EPSS
Exploits0
Atlassian
Atlassian
added 2025/06/10 3:48 a.m.28 views

DoS (Denial of Service) Third-Party Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, and 10.6.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/04/18 1:12 a.m.28 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Crucible Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in version 4.9.0 of Crucible Data Center and Server. This net.minidev:json-smart Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.28 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Crowd Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 5.2.4 and 5.3.0 of Crowd Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.3AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/23 4:58 a.m.28 views

DoS (Denial of Service) braces Dependency in Confluence Data Center

This High severity braces Dependency vulnerability was introduced in versions 7.11 of Confluence Data Center. This braces Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to...

7.5CVSS7.1AI score0.01471EPSS
Exploits1
Atlassian
Atlassian
added 2024/08/15 8:11 p.m.28 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Confluence Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 3.7.0 of Confluence Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.5AI score0.011EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/23 8:46 a.m.28 views

Bitbucket Datacenter REST API allows non-admin users to query all groups and members of the group

h3. Issue Summary Non-admin users any licensed user can query all the groups and members of the groups using the below API Groups API|https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-permission-management/api-api-latest-admin-groups-get Group memberships...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/30 1:26 p.m.28 views

Feedback button iframe should be sandboxed

h3. Issue Summary When feedback button is clicked in Jira top navigation bar, it loads an iframe with content from jira.atlassian.com. Iframe doesn't have sandbox attribute which may be seen as a potential vulnerability. IFrame sandboxing enables a set of additional restrictions for the content...

7.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/08/17 9:33 a.m.28 views

Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter

h3. Issue Summary Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter. This is reproducible on Data Center: yes h3. Steps to Reproduce Log into JIRA with a user which does not have Browse Users...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/02 10:22 a.m.28 views

Granting the 'Administer Projects' permission to a 'Custom Field' within a permission scheme allows all users to see the Project Settings

h3. Issue Summary This is reproducible on Data Center: yes Granting the Administer Projects permission to a User custom field value results in users having access to the Project Settings area even when the field is not populated. h3. Steps to Reproduce Create a new project with sample data Create...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/11/30 7:39 p.m.28 views

Insight JAMF integration - Error when Importing

h3. Issue Summary The Assets - Jamf Integration|https://marketplace.atlassian.com/apps/1219908/assets-jamf-integration?tab=overview&hosting=datacenter plugin supported by Atlassian seems to retrieve an error on the importing process "could not connect to service". h3. Steps to Reproduce The...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/24 4:23 a.m.28 views

Vulnerability in LESS Transformer Plugin used by Bitbucket

h3. Issue Summary As of Bitbucket 7.21 the LESS Transformer Plugin shipped is version 4.0.0. Unfortunately it has a dependency on commons-codec version 1.4 which has a number of security vulnerabilities. eg.commons-codec:commons-codec / 1.4 Apache Commons Codec...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2021/10/07 12:6 p.m.28 views

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/07 7:58 a.m.28 views

Sending an unauthenticated request to the Synchrony allows writing to the logs

h3. Issue Summary It is possible to write log entries via Synchrony API without authentication. h3. Steps to Reproduce To do this, you have to enter the target URL in Postman:, copy the GET or POST request and send the http request. For all POST requests, you must ensure that the content length...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/05/20 10:43 p.m.28 views

Bitbucket XSS, privilege escalation from "Project Creator" to "System admin" on project deletion

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/24 1:37 p.m.28 views

Cross Site Scripting vulnerability allows injecting HTML code into table edits

h3. Issue Summary Cross Site Scripting vulnerability allows injecting HTML code into table edits h3. Steps to Reproduce Edit a page Then access the Insert macro 'Info' option. A new window will open, in which the Preview option must be selected. With the help of an intermediate proxy such as burp...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2021/03/03 10:39 p.m.28 views

Blind SSRF in Team Calendars REST API using location parameter - CVE-2020-29445

Affected versions of Confluence Server allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters. Affected versions: 7.11.0 Fixed versions: 7.11.0 7.4.8 LTS This vulnerability is attributed to Stefano Castilletti, a...

4.3CVSS5AI score0.01201EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/22 4:54 a.m.28 views

Persistent XSS through Team Calendar in Confluence Server - CVE-2020-29444

Affected versions of Team Calendar in Confluence Server allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting vulnerability in admin global setting parameters. h3. Affected versions: 7.11.0 h3. Fixed version: 7.11.0 This vulnerability is attributed to Stefano...

5.4CVSS5.3AI score0.00928EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/16 11:35 p.m.28 views

DOM XSS in the issue navigation & search view via parameter pollution - CVE-2020-36288

The issue navigation & search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting XSS vulnerability caused b...

6.1CVSS5.6AI score0.01519EPSS
Exploits0
Atlassian
Atlassian
added 2020/12/10 2:10 a.m.28 views

Sending multiple concurrent file upload requests will permanently break a review - CVE-2020-29447

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. Affected...

4.3CVSS5.3AI score0.00991EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:17 a.m.28 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5.1AI score0.00772EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/22 1:56 a.m.28 views

DLL hijacking in Jira Server & JSD via Tomcat - CVE-2019-20419

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 Fixed versions: 8.5.5 8.7.2 8.8.0...

7.8CVSS7.5AI score0.0081EPSS
Exploits0
Atlassian
Atlassian
added 2020/02/14 1:22 p.m.28 views

Clickjacking Issue in Confluence

h3. Issue Summary Based on the https://jira.atlassian.com/browse/CONFSERVER-29230|https://jira.atlassian.com/browse/https://jira.atlassian.com/browse/CONFSERVER-29230 this was supposedly fixed from Confluence 5.8.5 version onwards and looks like it is still impacting few URL's embedded within the...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/04 11:21 p.m.28 views

Information leak through broken access control in Jira Server and Data Center - CVE-2019-20407

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check...

4.3CVSS4.9AI score0.01198EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.28 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Confluence before version 6.13.6, from version 6.14.0 before version 6.15.5, and from version 7.0.0 before 7.0.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See...

4.3CVSS2.3AI score0.00915EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/25 9:26 p.m.28 views

Improper Authorization in Jira Server through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Jira Server & Jira Data Center before version 8.3.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorizati...

4.3CVSS4.9AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/23 4:49 a.m.28 views

The bundled Atlassian Universal Plugin Manager plugin had a CSRF issue - CVE-2019-14999

The version of the bundled Atlassian Universal Plugin Manager plugin had a CSRF vulnerability that allowed remote attackers, through an administrator, uninstall plugins through a rest endpoint. See https://ecosystem.atlassian.net/browse/UPM-6044 for more details...

4.3CVSS5AI score0.00555EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/11 12:57 p.m.28 views

Unable to secure remote agents via automatic keystore management

h3. Issue Summary It is not possible to secure the remote agents to connect to the Bamboo Server using SSL through the automatic keystore management feature. h3. Steps to Reproduce Configure Bamboo to use SSL in Broker URL and Broker Client URL Securing your remote...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2019/02/14 7:7 p.m.28 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Fisheye before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details...

5.4CVSS3.4AI score0.03401EPSS
Exploits0
Atlassian
Atlassian
added 2018/10/23 12:13 a.m.28 views

Open redirect in the XsrfErrorAction resource - CVE-2018-13401

The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0...

6.1CVSS4.3AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2018/06/06 12:35 a.m.28 views

XSS in EditIssue.jspa through the issuetype parameter - CVE-2018-5232

The EditIssue.jspa resource in Atlassian Jira Server before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the issuetype parameter...

6.1CVSS4.6AI score0.01008EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/10 3:55 a.m.28 views

XSS in various types of nested wiki markup - CVE-2017-18102

The bundled version of atlassian-renderer in Atlassian JIRA before version 7.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently...

5.4CVSS5.1AI score0.00921EPSS
Exploits0
Atlassian
Atlassian
added 2018/03/15 1:17 a.m.28 views

Honeypot strategy is no longer effectively preventing spam account signup

panel:title=Fix From 3.9.5 onwards we have turned off the honeypot in favour of using captcha anyone affected by this issue just needs to switch the CAPTCHA on...

7.7AI score
Exploits0
Atlassian
Atlassian
added 2017/03/04 9:49 a.m.28 views

Lucene query checks plan permission against random plan

h1. Summary Bamboo runs permission validation against random plan when execute report h1. Details When execute report generator Bamboo checks if user has READ permission to plan. Sometimes it checks it against another plan User mode Create 2 plans Plan1 and Plan2 in same project. And execute them...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2017/01/05 2:52 p.m.28 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/08/02 3:31 p.m.28 views

JSON export doesn't differentiate public from internal comments

h4. +Summary+ Currently, when exporting a SD request to JSON format, it's not possible to tell which comment is internal or public from the JSON file. h4. +Steps to reproduce+ Go to Manage add-ons - All add-ons - jira-importers-plugin - Enable JSON export Create an SD request and add one internal...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2016/07/19 7:11 p.m.28 views

XSS in Mail Whitelist Field

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61963. panel Jira Admins can create a persistant XSS on the Incoming Mail configuration page. When the value code "alert1 code is inserted in...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/05/24 2:36 p.m.28 views

The "Restrict to articles with labels" option doesn't restrict the customer portal from suggesting KB's other than those with the nominated Label

h3. Summary Currently we have the "Restrict to articles with labels", where you can specify the label for a request. When a customer is filling the summary for a request, SD will search the knowledge base for similar content from confluence pages with that label. However, the customer portal sear...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/21 5:33 p.m.28 views

Bad performance noticed on issues with long history

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-45903. panel Performing some testing with JIRA 6.4.5, I've noticed that there is a huge difference when logging work on an issue with no...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/05 10:0 p.m.28 views

Cross-Site Scripting in subscribetocalendar.action

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48910. panel The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2014/12/19 2:48 p.m.28 views

Information disclosure - full path disclosure

Jira displays charts on the dashboard by writting a temporary file in Jira "tmp" folder and reading it through a page called "charts" When the filename provided to this page is not present, an error message displays the full path to the "tmp" folder, which lies in Jira directory. This is a...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/10/01 1:24 a.m.28 views

Confluence search returns results from Questions, eventhough CQ does not have anonymous "can-use" permissions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47841. panel h4.Steps to Reproduce: Install CQ "1.0.618" or "1.0.618.001" Make sure that CQ does not have anonymous access Brow...

1.6AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295