Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2018/03/08 4:18 a.m.166 views

Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5224

Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to do one or more of the following: create a repository in Bamboo edit an existing plan in Bamboo that has a...

9CVSS8.5AI score0.02822EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:59 a.m.165 views

XSS in the ConfigurePortalPages.jspa resource - CVE-2019-3402

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the searchOwnerUserName parameter...

6.1CVSS4.1AI score0.08947EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/06 2:52 a.m.162 views

Upgrade Tomcat to fix CVE-2023-28709

h3. Issue summary Apache Tomcat should be upgraded to 8.5.88 and 9.0.74 or a later version to fix CVE-2023-28709|https://nvd.nist.gov/vuln/detail/CVE-2023-28709 h3. Environment Bamboo 8, 9 h3. Steps to Reproduce Check the Apache Tomcat version on pom.xml or /bin/version.sh/bat h3. Expected Result...

7.5CVSS6.8AI score0.51547EPSS
Exploits1
Atlassian
Atlassian
added 2022/06/10 4:19 a.m.162 views

DoS (Denial of Service) in Crowd Data Center and Crowd Server - CVE-2022-29885

h2. Summary of Vulnerability This critical severity DoS Denial of Service vulnerability known as CVE-2022-29885 was introduced in version 4.0.0 of Crowd Data Center and Crowd Server. h2. Affected Versions ||Product||Affected Versions|| |Crowd Data Center Crowd Server|- 4.0.0 - 5.0.0| h2. Fixed...

7.5CVSS7.5AI score0.73139EPSS
Exploits5Affected Software1
Atlassian
Atlassian
added 2019/05/13 1:57 a.m.162 views

jQuery 2.2.4 is vulnerable to prototype pollution

Bitbucket Server comes with jQuery version 2.2.4. This version of jQuery is vulnerable to a security bug CVE-2019-11358, https://nvd.nist.gov/vuln/detail/CVE-2019-11358 which is only fixed in jQuery 3.4.0...

6.1CVSS2.6AI score0.87218EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2015/05/12 7:34 a.m.162 views

Update the version of commons-httpclient to address CVE-2012-5783 & CVE-2014-3577 and gain SNI support

Upgrade commons-httpclient to version 3.1-atlassian-2 to gain SNI support and to fix CVE-2012-5783 & CVE-2014-3577...

5.8CVSS2.3AI score0.09254EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/10/21 11:57 a.m.161 views

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a...

7.2CVSS2.1AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2017/12/06 4:35 p.m.161 views

REST API - Improved HTTP Authentication

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is a simple resource that help administrators to perform operations that would take some time of their day to day activities in a couple seconds, instead of a couple minutes. I...

7.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/21 9:40 p.m.160 views

Turning off audit logging does not result in any logs

h4. Steps to reproduce Enable Bamboo Audit Logging Make a change to confirm Audit Logging is turned on. Disable audit logging h4. Expected Behaviour An Audit log telling who and when turned off audit logging. h4. Observed Behaviour No Audit logs or any other log showing this change. h3. Workaroun...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/06/01 7:36 a.m.159 views

Confluence: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

The version of log4j used by Confluence has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is bundled with...

9.8CVSS10.1AI score0.66537EPSS
Exploits1
Atlassian
Atlassian
added 2020/04/21 10:27 p.m.159 views

Template injection in Web Resources Manager - CVE-2020-14172

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.1 allowed remote attackers to achieve remo...

9.8CVSS5.1AI score0.02505EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/12 3:49 a.m.158 views

Limited Remote File Read in Jira Software Server - CVE-2021-26086

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1...

7.5CVSS5.5AI score0.99999EPSS
Exploits12
Atlassian
Atlassian
added 2021/01/21 5:58 p.m.158 views

Pre-Authorization Limited Arbitrary File Read in Jira Server - CVE-2020-29453

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. h3. Affected versions: version 8.5.11 8.6.0 ≤ version 8.13.3 8.14.0 ≤ versi...

5.3CVSS5.7AI score0.23086EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/09/14 1:58 a.m.158 views

CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]

Atlassian Confluence Server and Data Center is not affected by CVE-2019-0230 Apache Struts Potential Remote Code Execution Vulnerability...

9.8CVSS4.5AI score0.97399EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:48 a.m.158 views

User enumeration through the groupuserpicker api resource - CVE-2019-8449

h3. Issue summary The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. h3. Workaround If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in...

5.3CVSS4.1AI score0.84771EPSS
Exploits8Affected Software1
Atlassian
Atlassian
added 2008/05/13 1:52 p.m.158 views

XSS in DWR

Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/05/20 4:0 a.m.157 views

XStream upgrade to 1.4.17

h3. Problem XStream is vulnerable to security exploits including CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html. This ticket tracks it's upgrade to 1.4.17 panel:title=Atlassian Update - July 2021|borderStyle=solid|borderColor=6554c0|titleBGColor=6554c0|bgColor=eae6ff We have upgrade...

8.8CVSS2.1AI score0.77735EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2024/03/21 6:45 p.m.155 views

Jira - CVE-2024-22243

h3. Issue Summary We have several Customers waiting for a response about the vulnerability CVE-2024-22243|https://nvd.nist.gov/vuln/detail/CVE-2024-22243, if it affects Atlassian products, in particular, Jira Data Center. h3. Steps to Reproduce Run Generic Security Scan Tool h3. Expected Results...

8.1CVSS6.5AI score0.03967EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2022/10/24 10:35 p.m.155 views

Upgrade Apache Commons-text to mitigate CVE-2022-42889 (excludes bundled OpenSearch)

h3. DISCLAIMER panel:title=Bundled OpenSearch|borderStyle=solid|borderColor=3c78b5|titleBGColor=3c78b5|bgColor=e7f4fa This issues only covers commons-text usages in the Bitbucket WebApp, not the bundled OpenSearch. To track the upgrade of OpenSearch to a version that contains an updated...

9.8CVSS1.3AI score0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2020/08/18 1:48 p.m.155 views

Struts 2 CVE-2019-0230 and CVE-2019-0233 impact on Confluence

h3. Issue Summary Recently, Apache released the following report regarding two different vulnerabilities in Struts 2: |https://struts.apache.org/announce.htmla20200813 Is Confluence affected by these CVEs? h3. Steps to Reproduce Not applicable. h3. Expected Results Not applicable h3. Actual Resul...

9.8CVSS3.1AI score0.97399EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2013/12/17 1:41 p.m.155 views

Enabling the XSRF in Bamboo cause the integration with JIRA 6.1.5 to break

Steps to reproduce: install JIRA 6.1.5 install Bamboo 5.3. Make sure the "Enable XSRF protection" is enabled via Bamboo Admin Security Security Settings integrate JIRA with Bamboo using Oauth authentication OR Basic Access OR Trusted Application in the JIRA UI, it will shows that JIRA can't conne...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/03/31 9:40 p.m.154 views

Confluence - Path traversal vulnerability - CVE-2019-3398

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this pat...

9CVSS3.7AI score0.97153EPSS
Exploits10Affected Software1
Atlassian
Atlassian
added 2018/01/12 2:26 a.m.154 views

Cross-site request forgery(CSRF) in the IncomingMailServers resource - CVE-2017-16862

The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.1AI score0.00644EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/10/19 10:2 a.m.152 views

Vulnerable version of xmlsec used - CVE-2021-40690 in atlassian-authentication-plugin

Recently we have identified that on top of the libraries mentioned in JRASERVER-73580, there was another libraryatlassian-authentication-plugin that has a transitive dependency of xmlsec that could be related to the vulnerability described in...

7.5CVSS2.5AI score0.10448EPSS
Exploits0
Atlassian
Atlassian
added 2022/08/17 10:40 p.m.152 views

Critical severity command injection vulnerability - CVE-2022-36804

h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary co...

8.8CVSS1.2AI score0.99077EPSS
Exploits24
Atlassian
Atlassian
added 2023/03/23 10:22 p.m.151 views

Upgrade Tomcat for CVE-2023-28708

h3. Issue Summary The version of Tomcat bundled in Bitbucket is affected by CVE-2023-28708|https://nvd.nist.gov/vuln/detail/CVE-2023-28708 as described below: quote When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to...

4.3CVSS5.2AI score0.01831EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/22 1:56 a.m.151 views

DLL hijacking in Jira Server & JSD via Tomcat - CVE-2019-20419

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 Fixed versions: 8.5.5 8.7.2 8.8.0...

7.8CVSS7.5AI score0.0081EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/11/19 8:26 p.m.151 views

RCE jackson-databind

h3. Issue Summary https://hello.atlassian.net/wiki/spaces/SECURITY/pages/566213966/CVE-2019-17267+Investigation+jackson-databind+RCE+again h3. Steps to Reproduce search on stash for jackson-databind...

9.8CVSS1.6AI score0.0459EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/31 12:45 p.m.149 views

Bamboo: Multiple vulnerabilities in log4j < 1.2.17-atlassian-16

The version of log4j bundled with Bamboo has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is bundled with...

9.8CVSS5.9AI score0.66537EPSS
Exploits1
Atlassian
Atlassian
added 2019/02/14 9:19 p.m.149 views

Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240

The administrative linker functionality in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the href parameter...

4.8CVSS4.6AI score0.00889EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/12/17 2:9 p.m.149 views

Unauthenticated listing of labels

Issue the following HTTP request: code POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: wiki.domain.com Content-Length: 75 Content-Type: application/json "contentId":"0","macro":"name":"listlabels","params":"spaceKey":"TEST" code The service returns an HTML document containing a list of all labe...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/24 1:35 a.m.148 views

DoS in avatar upload via crafted PNG file - CVE-2019-20897

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7.1 8.8.0...

6.5CVSS6.2AI score0.01875EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/06/18 12:30 p.m.148 views

Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

h3. Issue Summary Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. h3. Environment Crowd 3.x.x OpenLDAP h3. Steps to Reproduce Install Crowd 3.1.1 and connect with OpenLDAP directory. Synchronise the OpenLDAP directory. Disable one of the user from OpenLDAP...

7.5CVSS2.4AI score0.00872EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:46 a.m.147 views

Various XSS through a repository or review filename - CVE-2017-9508

Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a repository or review file...

5.4CVSS3.8AI score0.00826EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/07 10:25 a.m.147 views

If user is restricted to only view the space they should not be able to create or import a calendar

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48465. panel panel:title=23 July 2019 Update|bgColor=e7f4fa Hi everyone, thank you for your interest in this ticket. After...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/28 3:52 a.m.146 views

Jira Server Comment Permissions Broken Access Control Bug - CVE-2019-20106

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug...

4.3CVSS6.3AI score0.01191EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:39 p.m.145 views

Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities

Update Atlassian Platform from 3.5.17 to 3.5.19. The new platform version brings changes in the following libraries: update com.atlassian.applinks: from 5.4.21 to 5.4.23 update com.atlassian.plugins: from 4.4.10 to 4.4.14 update com.atlassian.sal: from 3.1.2 to 3.1.3 update com.atlassian.streams:...

9.8CVSS7.7AI score0.88077EPSS
Exploits7Affected Software1
Atlassian
Atlassian
added 2020/11/23 4:53 a.m.145 views

SQL Injection in Jira Software Server [Integration for HipChat]

Affected versions of Jira Server have a SQL injection vulnerability that has now been fixed by removing the vulnerable HipChat integration plugin. Affected versions: versions 8.14.0 Fixed versions: 8.14.0 The plugin is no longer installed in new versions of Jira. However, the removal of the plugi...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/14 8:39 p.m.145 views

XSS in edit upload for a review through the wbuser parameter - CVE-2018-20241

The Edit upload resource for a review in Atlassian Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the wbuser parameter...

5.4CVSS4AI score0.00904EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/04/12 9:24 a.m.143 views

Malicious file upload in Jira Server via anonymous sources

Affected versions of Atlassian Jira Server/DC allows an unauthenticated attacker to upload arbitrary files to Jira via file upload functionality in the fileupload url. However An attacker cannot control the filename or its location, which prevents the possibility of RCE. Files with name start...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2019/12/17 3:46 a.m.143 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Jira before version 8.4.2 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3.1AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/12/05 4:13 a.m.142 views

XSS through various RSS properties in the RSS macro - CVE-2017-16856

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting XSS vulnerabilities in various rss properties which were used as links without restriction on their scheme. h5. Acknowledgements Atlassian would...

6.1CVSS2.3AI score0.00809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/08/23 6:50 a.m.142 views

Activity Stream Gadget causing high memory/CPU consumption

+Problem Definition+ Activity Stream Gadget causing high memory/CPU consumption when there is 1 million+ of records in the AO563AEEACTIVITYENTITY table. In this particular case, found that majority of these records are from 3rd party plugins Insight. However, do note that this can happen to any...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/21 12:23 a.m.142 views

Upgrade bundled Tomcat to 6.0.37

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-29345. panel Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version...

6.8CVSS2.4AI score0.11975EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2024/03/13 3:4 p.m.141 views

Bitbucket is affected by CVE-2024-22243

h3. Issue Summary Bitbucket is affected by CVE-2024-22243|https://nvd.nist.gov/vuln/detail/CVE-2024-22243. h3. Steps to Reproduce N/A h3. Expected Results N/A h3. Actual Results N/A h3. Workaround Currently, there is no known workaround for this behaviour. A workaround will be added here when...

8.1CVSS7.8AI score0.03967EPSS
Exploits1
Atlassian
Atlassian
added 2019/04/29 3:47 a.m.140 views

Authorisation bypass in the ViewUpgrades resource - CVE-2019-8443

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to...

8.1CVSS6.1AI score0.02618EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/23 11:42 p.m.139 views

Restricted Work Log entries show in the Activity Stream in JIRA Server

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/03/07 2:45 p.m.138 views

RCE (Remote Code Execution) xalan:xalan Dependency in Jira Software Data Center and Server

This High severity xalan:xalan Dependency vulnerability was introduced in versions 8.20.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This xalan:xalan Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.7AI score0.17673EPSS
Exploits2
Atlassian
Atlassian
added 2020/02/27 9:43 a.m.138 views

OkHttp Certificate Pinning Vulnerability CVE-2016-2402

h3. Issue Summary Portfolio uses Okhttp 2.2.0 which has an identified vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2016-2402 https://www.securityfocus.com/bid/83296/info https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/ h3. Steps to Reproduce...

5.9CVSS0.2AI score0.02249EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/06/03 3:47 a.m.137 views

Changing public flag in Repository Permissions does not reflect on mirrors

h3. Issue Summary When Public flag is enabled/disabled for a mirrored repository, it doesn't sync on corresponding mirrors. h3. Steps to Reproduce Setup BbS Mirror and approve it on upstream. Create a repository in some project, let's say Project A, and set Public flag as Enabled in Repository...

1.8AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295