Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2019/05/13 1:57 a.m.161 views

jQuery 2.2.4 is vulnerable to prototype pollution

Bitbucket Server comes with jQuery version 2.2.4. This version of jQuery is vulnerable to a security bug CVE-2019-11358, https://nvd.nist.gov/vuln/detail/CVE-2019-11358 which is only fixed in jQuery 3.4.0...

6.1CVSS2.6AI score0.87218EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2017/12/06 4:35 p.m.161 views

REST API - Improved HTTP Authentication

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is a simple resource that help administrators to perform operations that would take some time of their day to day activities in a couple seconds, instead of a couple minutes. I...

7.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/21 9:40 p.m.160 views

Turning off audit logging does not result in any logs

h4. Steps to reproduce Enable Bamboo Audit Logging Make a change to confirm Audit Logging is turned on. Disable audit logging h4. Expected Behaviour An Audit log telling who and when turned off audit logging. h4. Observed Behaviour No Audit logs or any other log showing this change. h3. Workaroun...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/05/12 7:34 a.m.160 views

Update the version of commons-httpclient to address CVE-2012-5783 & CVE-2014-3577 and gain SNI support

Upgrade commons-httpclient to version 3.1-atlassian-2 to gain SNI support and to fix CVE-2012-5783 & CVE-2014-3577...

5.8CVSS2.3AI score0.09254EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2022/06/01 7:36 a.m.159 views

Confluence: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

The version of log4j used by Confluence has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is bundled with...

9.8CVSS10.1AI score0.66537EPSS
Exploits1
Atlassian
Atlassian
added 2019/04/29 3:57 a.m.159 views

Information disclosure in the /rest/api/2/user/picker rest resource - CVE-2019-3403

The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.1AI score0.52637EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2008/05/13 1:52 p.m.158 views

XSS in DWR

Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/12 3:49 a.m.156 views

Limited Remote File Read in Jira Software Server - CVE-2021-26086

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1...

7.5CVSS5.5AI score0.99999EPSS
Exploits12
Atlassian
Atlassian
added 2020/09/14 1:58 a.m.156 views

CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]

Atlassian Confluence Server and Data Center is not affected by CVE-2019-0230 Apache Struts Potential Remote Code Execution Vulnerability...

9.8CVSS4.5AI score0.97399EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2024/03/21 6:45 p.m.154 views

Jira - CVE-2024-22243

h3. Issue Summary We have several Customers waiting for a response about the vulnerability CVE-2024-22243|https://nvd.nist.gov/vuln/detail/CVE-2024-22243, if it affects Atlassian products, in particular, Jira Data Center. h3. Steps to Reproduce Run Generic Security Scan Tool h3. Expected Results...

8.1CVSS6.5AI score0.03967EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/05/20 4:0 a.m.154 views

XStream upgrade to 1.4.17

h3. Problem XStream is vulnerable to security exploits including CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html. This ticket tracks it's upgrade to 1.4.17 panel:title=Atlassian Update - July 2021|borderStyle=solid|borderColor=6554c0|titleBGColor=6554c0|bgColor=eae6ff We have upgrade...

8.8CVSS2.1AI score0.77735EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/08/18 1:48 p.m.154 views

Struts 2 CVE-2019-0230 and CVE-2019-0233 impact on Confluence

h3. Issue Summary Recently, Apache released the following report regarding two different vulnerabilities in Struts 2: |https://struts.apache.org/announce.htmla20200813 Is Confluence affected by these CVEs? h3. Steps to Reproduce Not applicable. h3. Expected Results Not applicable h3. Actual Resul...

9.8CVSS3.1AI score0.97399EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2013/12/17 1:41 p.m.154 views

Enabling the XSRF in Bamboo cause the integration with JIRA 6.1.5 to break

Steps to reproduce: install JIRA 6.1.5 install Bamboo 5.3. Make sure the "Enable XSRF protection" is enabled via Bamboo Admin Security Security Settings integrate JIRA with Bamboo using Oauth authentication OR Basic Access OR Trusted Application in the JIRA UI, it will shows that JIRA can't conne...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/10/24 10:35 p.m.153 views

Upgrade Apache Commons-text to mitigate CVE-2022-42889 (excludes bundled OpenSearch)

h3. DISCLAIMER panel:title=Bundled OpenSearch|borderStyle=solid|borderColor=3c78b5|titleBGColor=3c78b5|bgColor=e7f4fa This issues only covers commons-text usages in the Bitbucket WebApp, not the bundled OpenSearch. To track the upgrade of OpenSearch to a version that contains an updated...

9.8CVSS1.3AI score0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2019/03/31 9:40 p.m.153 views

Confluence - Path traversal vulnerability - CVE-2019-3398

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this pat...

9CVSS3.7AI score0.97153EPSS
Exploits10Affected Software1
Atlassian
Atlassian
added 2022/10/19 10:2 a.m.152 views

Vulnerable version of xmlsec used - CVE-2021-40690 in atlassian-authentication-plugin

Recently we have identified that on top of the libraries mentioned in JRASERVER-73580, there was another libraryatlassian-authentication-plugin that has a transitive dependency of xmlsec that could be related to the vulnerability described in...

7.5CVSS2.5AI score0.10448EPSS
Exploits0
Atlassian
Atlassian
added 2022/08/17 10:40 p.m.152 views

Critical severity command injection vulnerability - CVE-2022-36804

h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary co...

8.8CVSS1.2AI score0.99174EPSS
Exploits24
Atlassian
Atlassian
added 2023/03/23 10:22 p.m.151 views

Upgrade Tomcat for CVE-2023-28708

h3. Issue Summary The version of Tomcat bundled in Bitbucket is affected by CVE-2023-28708|https://nvd.nist.gov/vuln/detail/CVE-2023-28708 as described below: quote When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to...

4.3CVSS5.2AI score0.01831EPSS
Exploits0
Atlassian
Atlassian
added 2022/03/31 12:45 p.m.149 views

Bamboo: Multiple vulnerabilities in log4j < 1.2.17-atlassian-16

The version of log4j bundled with Bamboo has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is bundled with...

9.8CVSS5.9AI score0.66537EPSS
Exploits1
Atlassian
Atlassian
added 2019/11/19 8:26 p.m.149 views

RCE jackson-databind

h3. Issue Summary https://hello.atlassian.net/wiki/spaces/SECURITY/pages/566213966/CVE-2019-17267+Investigation+jackson-databind+RCE+again h3. Steps to Reproduce search on stash for jackson-databind...

9.8CVSS1.6AI score0.0459EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/14 9:19 p.m.149 views

Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240

The administrative linker functionality in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the href parameter...

4.8CVSS4.6AI score0.00889EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/06/18 12:30 p.m.148 views

Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

h3. Issue Summary Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. h3. Environment Crowd 3.x.x OpenLDAP h3. Steps to Reproduce Install Crowd 3.1.1 and connect with OpenLDAP directory. Synchronise the OpenLDAP directory. Disable one of the user from OpenLDAP...

7.5CVSS2.4AI score0.00872EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/12/17 2:9 p.m.147 views

Unauthenticated listing of labels

Issue the following HTTP request: code POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: wiki.domain.com Content-Length: 75 Content-Type: application/json "contentId":"0","macro":"name":"listlabels","params":"spaceKey":"TEST" code The service returns an HTML document containing a list of all labe...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:46 a.m.147 views

Various XSS through a repository or review filename - CVE-2017-9508

Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a repository or review file...

5.4CVSS3.8AI score0.00826EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/01/21 5:58 p.m.146 views

Pre-Authorization Limited Arbitrary File Read in Jira Server - CVE-2020-29453

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. h3. Affected versions: version 8.5.11 8.6.0 ≤ version 8.13.3 8.14.0 ≤ versi...

5.3CVSS5.7AI score0.23086EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/07 10:25 a.m.146 views

If user is restricted to only view the space they should not be able to create or import a calendar

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48465. panel panel:title=23 July 2019 Update|bgColor=e7f4fa Hi everyone, thank you for your interest in this ticket. After...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/14 8:39 p.m.145 views

XSS in edit upload for a review through the wbuser parameter - CVE-2018-20241

The Edit upload resource for a review in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the wbuser parameter...

5.4CVSS4AI score0.00904EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/09/16 3:13 a.m.144 views

User Enumeration via /ViewUserHover.jspa - CVE-2020-14181

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies. Affected versions: versio...

5.3CVSS4.2AI score0.99603EPSS
Exploits8Affected Software1
Atlassian
Atlassian
added 2023/04/12 9:24 a.m.143 views

Malicious file upload in Jira Server via anonymous sources

Affected versions of Atlassian Jira Server/DC allows an unauthenticated attacker to upload arbitrary files to Jira via file upload functionality in the fileupload url. However An attacker cannot control the filename or its location, which prevents the possibility of RCE. Files with name start...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2021/02/03 10:39 p.m.143 views

Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities

Update Atlassian Platform from 3.5.17 to 3.5.19. The new platform version brings changes in the following libraries: update com.atlassian.applinks: from 5.4.21 to 5.4.23 update com.atlassian.plugins: from 4.4.10 to 4.4.14 update com.atlassian.sal: from 3.1.2 to 3.1.3 update com.atlassian.streams:...

9.8CVSS7.7AI score0.88077EPSS
Exploits7Affected Software1
Atlassian
Atlassian
added 2020/11/23 4:53 a.m.142 views

SQL Injection in Jira Software Server [Integration for HipChat]

Affected versions of Jira Server have a SQL injection vulnerability that has now been fixed by removing the vulnerable HipChat integration plugin. Affected versions: versions 8.14.0 Fixed versions: 8.14.0 The plugin is no longer installed in new versions of Jira. However, the removal of the plugi...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/22 1:56 a.m.141 views

DLL hijacking in Jira Server & JSD via Tomcat - CVE-2019-20419

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 Fixed versions: 8.5.5 8.7.2 8.8.0...

7.8CVSS7.5AI score0.0081EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:59 a.m.141 views

XSS in the ConfigurePortalPages.jspa resource - CVE-2019-3402

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the searchOwnerUserName parameter...

6.1CVSS4.1AI score0.08947EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/03/13 3:4 p.m.140 views

Bitbucket is affected by CVE-2024-22243

h3. Issue Summary Bitbucket is affected by CVE-2024-22243|https://nvd.nist.gov/vuln/detail/CVE-2024-22243. h3. Steps to Reproduce N/A h3. Expected Results N/A h3. Actual Results N/A h3. Workaround Currently, there is no known workaround for this behaviour. A workaround will be added here when...

8.1CVSS7.8AI score0.03967EPSS
Exploits1
Atlassian
Atlassian
added 2020/04/21 10:27 p.m.140 views

Template injection in Web Resources Manager - CVE-2020-14172

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.1 allowed remote attackers to achieve remo...

9.8CVSS5.1AI score0.02505EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/08/23 6:50 a.m.139 views

Activity Stream Gadget causing high memory/CPU consumption

+Problem Definition+ Activity Stream Gadget causing high memory/CPU consumption when there is 1 million+ of records in the AO563AEEACTIVITYENTITY table. In this particular case, found that majority of these records are from 3rd party plugins Insight. However, do note that this can happen to any...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/23 11:42 p.m.139 views

Restricted Work Log entries show in the Activity Stream in JIRA Server

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/03/07 2:45 p.m.137 views

RCE (Remote Code Execution) xalan:xalan Dependency in Jira Software Data Center and Server

This High severity xalan:xalan Dependency vulnerability was introduced in versions 8.20.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This xalan:xalan Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.7AI score0.17673EPSS
Exploits2
Atlassian
Atlassian
added 2019/06/03 3:47 a.m.137 views

Changing public flag in Repository Permissions does not reflect on mirrors

h3. Issue Summary When Public flag is enabled/disabled for a mirrored repository, it doesn't sync on corresponding mirrors. h3. Steps to Reproduce Setup BbS Mirror and approve it on upstream. Create a repository in some project, let's say Project A, and set Public flag as Enabled in Repository...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/03/21 12:52 a.m.137 views

The version of moment.js used in Jira Service Desk was vulnerable to a regular expression denial of service

The version of moment.js used in Jira Service Desk Server before version 4.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/11/17 1:44 a.m.136 views

Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 7.21.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS7AI score0.10448EPSS
Exploits0
Atlassian
Atlassian
added 2022/07/08 5:6 p.m.136 views

Questions For Confluence App - Hardcoded Password

i Update: This advisory has been updated since its original publication. 2022/08/01 12:00 PM PDT Pacific Time, -7 hours color:172b4dUpdated the Remediation section to note that if the disabledsystemuser account is manually deleted, the app must also be updated or uninstalled to ensure the account...

9.8CVSS1AI score0.9817EPSS
Exploits1
Atlassian
Atlassian
added 2017/12/05 4:13 a.m.136 views

XSS through various RSS properties in the RSS macro - CVE-2017-16856

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting XSS vulnerabilities in various rss properties which were used as links without restriction on their scheme. h5. Acknowledgements Atlassian would...

6.1CVSS2.3AI score0.00809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/17 10:21 p.m.135 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6Affected Software1
Atlassian
Atlassian
added 2023/10/11 3:26 p.m.133 views

Upgrade moment library to 2.29.2+ as required for CVE-2022-24785 and CVE-2022-31129

Hi, Is it possible to upgrade the moment.js library to 2.29.2 on all Jira SM versions? It seems fixed in for Jira SW as mentioned https://jira.atlassian.com/browse/JRASERVER-75017 In JSM it is still discovered as a vulnerability...

7.5CVSS7.3AI score0.05664EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/02/02 9:59 a.m.133 views

Update jQuery to avoid CVE-2020-11022 and CVE-2020-11023

Affected versions of Atlassian Jira Server and Data Center use a version of jQuery that is vulnerable to CVE-2020-11022 and CVE-2020-11023. These allow an unauthenticated attacker to inject Javascript into the application via Cross-Site Scripting XSS vulnerabilities. The affected versions are...

6.9CVSS6.2AI score0.99019EPSS
Exploits11
Atlassian
Atlassian
added 2019/03/21 12:46 a.m.133 views

The version of moment.js used in Jira was vulnerable to a regular expression denial of service

The version of moment.js used in in Jira before version 7.12.3, from version 7.13.0 before version 7.13.1 and before version 8.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/22 1:50 a.m.132 views

Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. Affected versions version 8.8.0 Fixed versions 8.8.0...

6.5CVSS6.9AI score0.01024EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/25 4:55 a.m.132 views

SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF vulnerability due to a logic bug in the JiraWhitelist class...

6.5CVSS6AI score0.94453EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2018/01/12 2:26 a.m.132 views

Cross-site request forgery(CSRF) in the IncomingMailServers resource - CVE-2017-16862

The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.1AI score0.00644EPSS
Exploits0Affected Software1
Total number of security vulnerabilities4295