4295 matches found
QueryCompenentRenderer API returns project key
When an unauthenticated remote attacker accesses "/secure/QueryComponentRendererValue!Default.jspa?pid=10000", the project key is returned: code:java "project":"name":"Project","viewHtml":" \n \n Project:\n \n Project id=10,000 \n","editHtml":"\n","jql":"project =...
Transition screen removed when project admin edits a transition
h3. Problem The relevant transition screen gets removed when a project admin without Jira Administrator global permission attempts to edit a transition. h3. Environment Jira h3. Steps to Reproduce Create a new project I used Scrum software development template Modify one of the transitions in the...
Mask Webhook secret Key
While configuring webhooks in bitbucket, we have the option to provide a secret key that is not masked, and hence the plain text secret key is visible in audit logs, kindly mask the secret key Steps to reproduce Configure webhook in Bitbucket server When the hook is created,modified we see the...
Source configuration information leakage in API response
Affected versions of Atlassian Jira Service Management Server and Data Center allow an unauthorised user to view source configuration information via information disclosure in the endpoint /rest/insight/1.0/progress/category/imports/. Affected versions: 4.19.0 Fixed versions: 4.20.6...
Leaked admin credentials via Insight object import
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated users to see admin credentials via an information disclosure vulnerability in the \BaseUrl/rest/insight/1.0/import/module/test/rlabs-import-type-json?objectSchemaId= endpoint. The affected versions a...
Anonymous users can view list of installed gadgets in Confluence
h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit th...
An admin can downgrade or remove a group with sys admin privilege
This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...
Attachments gets downloaded on Chromium based browsers even after user logs out from Confluence
h3. Issue Summary Attachments gets downloaded on Chromium based browsers even after user logs out from the page h3. Steps to Reproduce Create a new page in Confluence Attach any PDF or picture or any file in that page and then publish the page Copy the image link by right clicking on the image as...
Cross Site Scripting vulnerability allows injecting HTML code into table edits
h3. Issue Summary Cross Site Scripting vulnerability allows injecting HTML code into table edits h3. Steps to Reproduce Edit a page Then access the Insert macro 'Info' option. A new window will open, in which the Preview option must be selected. With the help of an intermediate proxy such as burp...
User has access to project and repository after global permission has been removed
h3. Problem User has access to project and repository after global permission has been removed. Conversely, a user in this affected state will be greeted with "permission denied" even after the global permission has been re-granted to the user. h3. Environment - Tested on 7.5 and 7.3 h3. Steps to...
REST API - Deactivate the REST API
h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is active by default and there is no way to deactivate. It should have a similar option like the Enabling the Remote...
Improper Authorization in Fisheye & Crucible through ATST Plugin - CVE-2019-15005
The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Fisheye & Crucible before version 4.7.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. Th...
Security Issue: REST API does not respect 'Allow Anonymous Access to Remote API' setting on pages that has anonymous access
h3. Summary Anonymous API access are allowed on on pages that has Anonymous View Permission, even though the 'Allow Anonymous Access to Remote API' setting not ticked h3. Steps to Reproduce Make sure that 'Allow Anonymous Access to Remote API' setting from Confluence Administration Security...
XSS attack possible on FishEye file history page
The File History page was vulnerable to XSS...
Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file
Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...
Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file
Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...
Permission issue when configuring Default Reviewers
Certain permissions relating to Default Reviewers could be circumvented by authenticated users...
SECURITY: Update application-links in JIRA Server to fix APL-1327
Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case JIRA server would update application-links from version 5.2.3 to version 5.2.4...
XSRF Security Token Missing when clicking on Contact an administrator
h3. Summary Clicking on the "Contact an administrator to perform this action." results in XSRF Security Token Missing. Tested with : Chrome Version 54.0.2840.59 64-bit Firefox 49.0 h3. Steps to Reproduce Configure Outgoing Mail Enable Contact Administrators Form from General Configurations Create...
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
Windows 4.0 prompted "Untrusted Certificate" error in Rooms
h3. Summary When accessing specific rooms with URL from an untrusted website, the error message "Untrusted Certificate" appears, prompt if you want to trust the certificate and continue. !Screen Shot 2016-01-22 at 10.28.08 AM.png|thumbnail! h3. Environment Windows h3. Actual Results The following...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...
One Crucible admin can get access to repository password provided by another admin
It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...
Disable Quartz Phone Home
Quartz's phone home has not yet been disabled in Crowd. http://quartz-scheduler.org/documentation/best-practices suggests setting org.terracotta.quartz.skipUpdateCheck=true as a system property to disable this check...
Disabled Users Receive Notification from Team Calendar
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-48834. panel h3. Summary Confluence disabled users that subscribed to a calendar still receive notifications when calendar have...
Stop Watching Page in email footer is broken
The link is broken, the error message says that the security token is missing...
Project's permission bypass JIRA global permissions
h3. Summary Users are able to create/comment issues via email without group membership if they are added directly to the project's permission. User shouldn't be able to do that since he can't access the application itself. Same applies to JIRA's notifications. h3. Steps to Reproduce Remove user...
Space permissions ignored in list of blog posts by date
h3. Summary Users have the ability to view a list of all blog posts, even from spaces in which they don't have permission to access. h3. Steps to Reproduce Install Confluence 5.7.x Create two spaces Space A Space B remove all permissions for confluence-users Create a blog post in Space A Create a...
Update Java version bundled in the installer
The version of Java bundled with Confluence is 1.7.015 which is a little bit dated February 2013. We should bundle the latest version of Java 7 to ship the latest bug fixes and security patches. Updating the version of Java will also solve CONF-31688...
Restrictions not applied for inline comments in attachments
When there is a comment for a file which is attached to a restricted page, all users can see the comment, even the ones who are not allowed to see the page and its attachments. h3. Workaround for 5.7 There is no workaround for customers running Confluence 5.7. Customers are advised to upgrade to...
Disable SSLv3 in outgoing HTTPS connections from Confluence
SSLv3 is an old protocol and has been superseded by TLSv1.0, TLSv1.1 and TLSv1.2. TLSv1.0 was first defined in January 1999 and java 6 supports and uses it as the default client version in TLS handshake. SSLv3 is old and limits the ciphers that can be used. SSLv3 is also vulnerable to POODLE. We...
Request access to this page. userFullName can be modified.
Steps to reproduce: 1.-Create a page and grant permissions only for you 2.-Modify this url to point to your pageId https://extranet.atlassian.com/pages/viewpage.action?pageId=XXXXXXX&username=scia&userFullName=Scott%2BFarquhar&grantAccess=true 3.- You will be asked to grant Scott Farquhar...
Use of atlassian-whitelist plugin allows CORS access to origins which it should not
The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...
OGNL Double Evaluation Vulnerability
We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the Crucible web interface. All versions of Crucible up to and including 3.6.1...
SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE
The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...
XSS in page editor via Shortcut links
Steps to reproduce: 1. add new shortcuts with default alias like "". 2. by typing searchterms@aliasname in page editor you can trigger XSS By replacing existing shortcut with malicious one, we can easily exploit multiple users using this functionality...
Activity stream on JAC contains updates from another user
Jira prompted me to change my time zone, and brought me to a profile that seems to be for a completely different user who happens to share my first name and last initial. See attached screen shot. Going directly to https://secretlocation.atlassian.net/secure/ViewProfile.jspa shows me the proper...
Adding Subscription Cal by URL stores user password unencrypted
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48402. panel I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really ...
Add global option "Enable group <anyone>"
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-39912. panel As mentioned in JRA-18076 and JRA-23255, the predefined group anyone poses security risks in many cases as it exposes projects t...
Seemingly malformed PNG file will cause JIRA to OOM within seconds
.atlassian.net was chain-OOM-ing earlier today. jworley was able to narrow it down to an image attachment on a particular issue. It's only a 300KB PNG file a screenshot from an Android device but it causes JIRA to OOM almost immediately. I've been able to replicate that behaviour on my jira-dev...
Disabled user are still able to request for password reset email.
h3. Step to Reproduce: Disable a user test in Crowd administration console make sure that there is no duplicate user Request password reset for the disabled user test h3. Expected result No mail will be sent to disabled account. h3. Observerd Result. The disabled user still receive the password...
Restrictions do not apply in calendar macro
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-49762. panel Team Calendar restrictions do not apply if the calendar is in a Calendar Macro withing a Confluence page. +Repro...
Jira outputs a stack trace to the screen when an error is encountered
panel h3. Problem When users are greeted by the error 500 page, they can click on the Request assistance link to expand and see the long stack trace of the error that occurs. The information is not useful to most of the end users but it's not possible to hide it from them. h3. Suggestion To have ...
Jira outputs a stack trace to the screen when an error is encountered
When an error condition is triggered by a user or black-box security scanner such as Acunetix, the system provides an appropriate error page. However, the error page includes the stack trace which the scanner will determine to be a potential Information Disclosure vulnerability because the stack...
Accept Answer URL should be idempotent and accept PUT or POST requests only
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46610. panel Answers currently users a single URL to both accept and un-accept answers: noformat $baseurl/acceptanswer/$answeri...
XSS in the view parameter of several actions
The following XSS issues were detected by a customer. /changelog?max=30&view=cru%22;alert4015891;//%22&@asv=cru /project/CR?max=30&projectKey=CR&view=all";alert3166631;//"&@asv=all /user/c30626?max=30&name=c30626&view=all";alert1287220;//"&@asv=all...
Bamboo crashes when XSRF protection is enabled and proxy is wrongly configured
The new feature to enable XSRF protection|https://confluence.atlassian.com/display/BAMBOO/Configuring+XSRF+protection introduced in Bamboo 5.3, causes a crash if the tomcat proxy config are wrongly configured. Steps to reproduced Configure Bamboo to use modproxy as detailed here:...
Secure Mail Archive with Space Permissions
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-31945. panel Mail Archives in a Space are currently not subject to any Read / View security context Permissions. They are visibl...
XSS vulnerability in 'Share a link' blueprint
Open the Create dialog - Select "Share a Link" article - In the 'Topics' field, enter an attack string such as: alert"hello" =The script will be executed...
UploadAction.execute vulnerable to CSRF
Sub-issue from CONF-27960. UploadAction.execute upload.action does not have CSRF protection...