4295 matches found
Deleting user does not remove the user from a permission scheme
If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...
Have JIRA delete cookie when user authentication fails
I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...
Login errors in 1.3
When logging in as our special user who is restricted to one certain project, I get this error message from secure/Dashboard.jspa java.lang.IllegalArgumentException: Source may not be null at webwork.util.SubsetIteratorFilter.setSourceSubsetIteratorFilter.java:33 at...
Login errors in 1.3
When logging in as our special user who is restricted to one certain project, I get this error message from secure/Dashboard.jspa java.lang.IllegalArgumentException: Source may not be null at webwork.util.SubsetIteratorFilter.setSourceSubsetIteratorFilter.java:33 at...
DoS (Denial of Service) at commons-fileupload dependency in Crucible Server
This High severity DoS Denial of Service vulnerability was introduced in version 4.9.0 of Crucible Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to...
DOM-based XSS in Jira Software Data Center
This High severity DOM-based XSS vulnerability was introduced in versions 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Software Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of...
DOM-based XSS in Jira Service Management Data Center
This High severity DOM-based XSS vulnerability was introduced in versions 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of...
File Inclusion in Jira Software Data Center
This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.1, 9.17.1, 10.0.1, 10.1.1, 10.2.1, 10.3.0, 10.4.1, 10.5.1, 10.6.0, 10.7.1, 11.0.1, 11.1.1, 11.2.0, and 11.3.0 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...
DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Service Management Data Center
This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticat...
DoS (Denial of Service) brace-expansion Dependency in Jira Service Management Data Center
This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticate...
RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Confluence Data Center
This Confluence release includes updates to our org.yaml:snakeyaml dependency in response to CVE-2022-1471. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for...
DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Bamboo Data Center
This High severity DoS Denial of Service vulnerability was introduced in versions 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...
Improper Authorization commons-beanutils:commons-beanutils Dependency in Jira Software Data Center
This High severity Improper Authorization vulnerability was introduced in versions 9.12.1, 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Software Data Center. This Improper Authorization vulnerability, with a CVSS Score of 8.8 and a CVSS Vector...
RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Jira Service Management Data Center
This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity RCE Remote Code Execution vulnerability was introduced in versions 11.3.3 of Jira Service Management Data...
File Inclusion node-tar Dependency in Confluence Data Center
This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N allows a...
Injection dompurify Dependency in Confluence Data Center
This High severity Injection vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.14, and 10.2.3 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an unauthenticated attacker to...
DoS (Denial of Service) ua-parser-js Dependency in Bitbucket Data Center
This High severity DoS Denial of Service vulnerability was introduced in versions 9.4.12, 10.0.1, and 10.1.1 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated...
DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Crucible Data Center and Server
This High severity DoS Denial of Service vulnerability was introduced in version 4.8.0, 4.9.0 of Crucible Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker...
DoS (Denial of Service) in Confluence Data Center and Server
This High severity DoS Denial of Service vulnerability known as CVE-2022-25927 was introduced in versions 9.0 of Confluence Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...
MITM (Man-in-the-Middle) com.squareup.okhttp3:okhttp Dependency in Jira Software Data Center and Server
This High severity MITM Man-in-the-Middle vulnerability was introduced in version 9.12.1 and 10.3.0 of Jira Software Data Center and Server. This vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:Ncode allows an unauthenticated...
Improper Authorization org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.3.0, and 10.6.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L...
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 8.9.10, 8.13.6, 8.14.6, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score ...
DoS (Denial of Service) io.netty:netty-handler Dependency in Bamboo Data Center and Server
This High severity io.netty:netty-handler Dependency vulnerability was introduced in versions 9.5.0, 9.6.0, 10.0.0, 10.1.0, and 10.2.0 of Bamboo Data Center and Server. This io.netty:netty-handler Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server
This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 5.2.0, 5.3.0, 6.0.1, 6.1.0, and 6.2.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...
org.postgresql:postgresql Dependency in Bitbucket Data Center and Server
This High severity org.postgresql:postgresql Dependency vulnerability was introduced in version 8.0 of Bitbucket Data Center. A version of the PostgreSQL JDBC driver is bundled in the Mesh Application /app/WEB-INF/mesh/mesh-app.jar however Mesh does not use the PostgreSQL driver, rather it uses a...
Third-Party Dependency in Bitbucket Data Center
This High severity Third-Party Dependency vulnerability was introduced in version 9.4.0 of Bitbucket Data Center. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, allows an unauthenticated attacker to expose...
RCE (Remote Code Execution) org.apache.avro:avro Dependency in Confluence Data Center and Server
This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 6.5 of Confluence Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...
Prototype Pollution json5 Dependency in Confluence Data Center
This High severity json5 Dependency vulnerability was introduced in versions 5.9 of Confluence Data Center. This json5 Dependency vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to...
Allow HTTP Strict Transport Security (HSTS) to be configured in Bamboo 10
h3. Issue Summary This is reproducible on Data Center: / Up until Bamboo 9.6, HTTP Strict Transport Security|https://tools.ietf.org/html/rfc6797 was configurable in Bamboo by following the steps outlined in this KB article: How do I enable HSTS and other HTTP Security Headers in Bamboo Data...
When anonymously accessed, the "Related Labels" section show labels that are tagged on pages in non-anonymous spaces.
h3. Issue Summary When anonymously accessed, the "Related Labels" section shows labels that are tagged on pages in non-anonymous spaces. This is reproducible on the Data Center: yes Pre-condition: 1. Page accessible anonymously has been labelled - e.g. label1 and label2. 2. Page that is not...
When Groovy Console Permission level is Only Jira System Admins The Users has Jira Administrator role are not able to add post function except via Run a Groovy script with this transition link
h3. Issue Summary When the permission level is "Only Jira System Admin" and the logged in user has Jira Administrator role, The user is not able to add post function via links except "Run a Groovy script with this transition" link. h3. Steps to Reproduce Login via User who has Jira system admin...
REST API Endpoint Leaked private project to unauthorized user
Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint. Affecte...
A User with no permission to view a Jira issue can see its summary in the "Connected Jira Issues" in the object's view
h3. Issue Summary The "Connected Jira Issues" tab in the Insight Object view does not respect the level of permission provided to the logged in user and displays all connected issues even if that user doesn't have the permission to view them. h3. Steps to Reproduce Create a Jira issue linked to a...
Attachment name, in questions/answers, is searchable despite not having Permissions for Questions
h4. Summary The questions plugin allows administrators to restrict its usage to groups/users, similar to Confluence Permissions. Attachments uploaded to these questions/answers can be found by users that do not have Questions Permission. However, while the attachment can be searched and its title...
Removing the Groups from the Accounts>Groups page doesn't remove the references from the Project Permissions page
h3. Issue Summary Removing the Groups from the AccountsGroups page doesn't remove the references from the Project Permissions page and the Global permissions page h3. Steps to Reproduce Create a New group named "newtestgroup" Add a user to the Group Add the Group Access for "newtestgroup" under t...
A URL to the unknown attachment place-holder utilizes http instead of https when https is configured
h3. Issue Summary A URL to the unknown attachment place-holder utilizes http instead of https when base URL is set to https, and tomcat server.xml scheme is set to https. h3. Steps to Reproduce Create a page and add an attachment to it. Open Attachments page from the view page and remove the...
Customers created via the Customer Portal do not trigger an email verification
In affected versions of Jira Service Desk Server and Data Centre, it was possible to create customers with fake email addresses via the Customer Portal. This is now resolved with email verification. Affected versions: version 3.16.13 4.0.0 ≤ version 4.5.3 4.6.0 ≤ version 4.7.0 Fixed versions:...
Turning off audit logging does not result in any logs
h4. Steps to reproduce Enable Bamboo Audit Logging Make a change to confirm Audit Logging is turned on. Disable audit logging h4. Expected Behaviour An Audit log telling who and when turned off audit logging. h4. Observed Behaviour No Audit logs or any other log showing this change. h3. Workaroun...
Sessions never expire due to continuous XHR
Summary Sessions in Bamboo are supposed to have a default inactivity timeout of 30 minutes see https://confluence.atlassian.com/bamkb/how-to-change-bamboo-user-session-timeout-848977292.html, however regardless of which timeout period is set, sessions never time out if a user doesn't close their...
Request for Marketplace add-on email notifications can be sent to inactive accounts
h4. Summary Users can navigate to the Atlassian Marketplace within Jira and request add-ons to be installed. This will send all groups defined under the Jira Administrators global permission an email notification indicating a particular user has requested a particular add-on. We have observed the...
Our documentation for running Confluence behind a http that terminates https is probably incorrect
Specifically, the https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html page says quote Note: don't include secure="true" in this connector. Make sure you've included correct values for protocol and proxyName. quote which differs from all of our other...
Email address is not validated when updating user profile
On the view profile page /secure/ViewProfile.jspa it's possible to update your user profile /secure/EditProfile!default.jspa?username=admin to an invalid email address. See attached screenshots. !Screen Shot 2017-09-28 at 2.49.48 PM.png|thumbnail! !Screen Shot 2017-09-28 at 2.49.58...
jira xml export does not escape label and component values
searchrequest-sml endpoint html encodes issue description text, but not issue labels or component. This means that other plugins / products relying on this end point for these values are vulnerable to XSS attacks, see linked issue. Please html encode these string values ...
Git downloads over HTTP
SourceTree downloads the standalone Git and every other zips over HTTP from the Atlassian servers. This is not secure and should be switched to HTTPS...
PermissionHelper is sending incorrect data
h3 summary Permissionhelper didn't send right results for user who should be able to change permissions h3.Environment Confluence 6.1.3 h3. Steps to reproduce 1. Create a group in Active Directory named "app-confluence-space-keyuser", and add some users i.e "test" 2. Create a group in Active...
Bitdefender reported virus in Git LFS plugin
!Capture1.PNG!...
Other SD Projects Knowledge Base are accessible through direct link
h3. Summary: If a Customer only able to access one SD Portal and log in to Confluence, it is actually possible for that Customer to access other SD Project KBs through a Direct URL Link including navigating the space. h3. Steps to Reproduce: Prepare a JIRA instance that is connected to Confluence...
Information Exposure in JUnit Report Macro
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-52112. panel The JUnit Report Macro throws different error messages for the url parameter code:java file:///no/file/herecode...
Administrators should have the ability to restrict access to the System dashboard
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-64165. panel Administrators should have the ability to restrict access to the System dashboard which by default is available to the public...
XSS attack possible on FishEye file history page
The File History page was vulnerable to XSS...