Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2007/02/18 10:28 p.m.23 views

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2002/08/26 1:28 a.m.23 views

Have JIRA delete cookie when user authentication fails

I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/07/09 10:11 p.m.23 views

Login errors in 1.3

When logging in as our special user who is restricted to one certain project, I get this error message from secure/Dashboard.jspa java.lang.IllegalArgumentException: Source may not be null at webwork.util.SubsetIteratorFilter.setSourceSubsetIteratorFilter.java:33 at...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/07/09 10:11 p.m.23 views

Login errors in 1.3

When logging in as our special user who is restricted to one certain project, I get this error message from secure/Dashboard.jspa java.lang.IllegalArgumentException: Source may not be null at webwork.util.SubsetIteratorFilter.setSourceSubsetIteratorFilter.java:33 at...

2.4AI score
Exploits0
Atlassian
Atlassian
added 2026/05/11 11:33 p.m.22 views

DoS (Denial of Service) at commons-fileupload dependency in Crucible Server

This High severity DoS Denial of Service vulnerability was introduced in version 4.9.0 of Crucible Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to...

7.5CVSS5.8AI score0.46836EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.22 views

DOM-based XSS in Jira Software Data Center

This High severity DOM-based XSS vulnerability was introduced in versions 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Software Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of...

8CVSS6.8AI score0.0077EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.22 views

DOM-based XSS in Jira Service Management Data Center

This High severity DOM-based XSS vulnerability was introduced in versions 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of...

8CVSS6.8AI score0.0077EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.22 views

File Inclusion in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.1, 9.17.1, 10.0.1, 10.1.1, 10.2.1, 10.3.0, 10.4.1, 10.5.1, 10.6.0, 10.7.1, 11.0.1, 11.1.1, 11.2.0, and 11.3.0 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

8.6CVSS6.7AI score0.00408EPSS
Exploits2
Atlassian
Atlassian
added 2026/04/20 2:22 a.m.22 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticat...

7.5CVSS6.6AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/17 1:47 a.m.22 views

DoS (Denial of Service) brace-expansion Dependency in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticate...

9.2CVSS6.5AI score0.00481EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/16 6:22 p.m.22 views

RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Confluence Data Center

This Confluence release includes updates to our org.yaml:snakeyaml dependency in response to CVE-2022-1471. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for...

9.8CVSS6.5AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.22 views

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...

8.7CVSS5.8AI score0.01125EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/09 10:29 p.m.22 views

Improper Authorization commons-beanutils:commons-beanutils Dependency in Jira Software Data Center

This High severity Improper Authorization vulnerability was introduced in versions 9.12.1, 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Software Data Center. This Improper Authorization vulnerability, with a CVSS Score of 8.8 and a CVSS Vector...

8.8CVSS6.2AI score0.01495EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 10:29 p.m.22 views

RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Jira Service Management Data Center

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity RCE Remote Code Execution vulnerability was introduced in versions 11.3.3 of Jira Service Management Data...

9.8CVSS7.5AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.22 views

File Inclusion node-tar Dependency in Confluence Data Center

This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N allows a...

8.2CVSS6AI score0.00541EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/23 11:29 p.m.22 views

Injection dompurify Dependency in Confluence Data Center

This High severity Injection vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.14, and 10.2.3 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an unauthenticated attacker to...

7.3CVSS5.2AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 10:30 p.m.22 views

DoS (Denial of Service) ua-parser-js Dependency in Bitbucket Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.4.12, 10.0.1, and 10.1.1 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated...

7.5CVSS5.7AI score0.01725EPSS
Exploits2
Atlassian
Atlassian
added 2026/02/25 6:29 p.m.22 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Crucible Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 4.8.0, 4.9.0 of Crucible Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker...

7.5CVSS5.8AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2026/02/11 5:29 p.m.22 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-25927 was introduced in versions 9.0 of Confluence Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS5.5AI score0.01725EPSS
Exploits2
Atlassian
Atlassian
added 2026/01/07 7:27 p.m.22 views

MITM (Man-in-the-Middle) com.squareup.okhttp3:okhttp Dependency in Jira Software Data Center and Server

This High severity MITM Man-in-the-Middle vulnerability was introduced in version 9.12.1 and 10.3.0 of Jira Software Data Center and Server. This vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:Ncode allows an unauthenticated...

7.5CVSS6AI score0.00877EPSS
Exploits0
Atlassian
Atlassian
added 2025/07/09 4:49 a.m.22 views

Improper Authorization org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.3.0, and 10.6.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L...

7.3CVSS7.3AI score0.02608EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/14 5:9 a.m.22 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.9.10, 8.13.6, 8.14.6, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score ...

7.5CVSS7.8AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2025/03/04 1:12 a.m.22 views

DoS (Denial of Service) io.netty:netty-handler Dependency in Bamboo Data Center and Server

This High severity io.netty:netty-handler Dependency vulnerability was introduced in versions 9.5.0, 9.6.0, 10.0.0, 10.1.0, and 10.2.0 of Bamboo Data Center and Server. This io.netty:netty-handler Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.3AI score0.01966EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/13 4:13 p.m.22 views

BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 5.2.0, 5.3.0, 6.0.1, 6.1.0, and 6.2.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS9.1AI score0.06287EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/13 1:13 a.m.22 views

org.postgresql:postgresql Dependency in Bitbucket Data Center and Server

This High severity org.postgresql:postgresql Dependency vulnerability was introduced in version 8.0 of Bitbucket Data Center. A version of the PostgreSQL JDBC driver is bundled in the Mesh Application /app/WEB-INF/mesh/mesh-app.jar however Mesh does not use the PostgreSQL driver, rather it uses a...

9.8CVSS7.5AI score0.0301EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/12 6:48 p.m.22 views

Third-Party Dependency in Bitbucket Data Center

This High severity Third-Party Dependency vulnerability was introduced in version 9.4.0 of Bitbucket Data Center. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, allows an unauthenticated attacker to expose...

8.8CVSS7AI score0.72648EPSS
Exploits15
Atlassian
Atlassian
added 2024/12/04 1:18 a.m.22 views

RCE (Remote Code Execution) org.apache.avro:avro Dependency in Confluence Data Center and Server

This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 6.5 of Confluence Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

9.2CVSS7.5AI score0.03278EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/23 4:58 a.m.22 views

Prototype Pollution json5 Dependency in Confluence Data Center

This High severity json5 Dependency vulnerability was introduced in versions 5.9 of Confluence Data Center. This json5 Dependency vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to...

8.8CVSS6.3AI score0.09304EPSS
Exploits1
Atlassian
Atlassian
added 2024/09/27 12:21 a.m.22 views

Allow HTTP Strict Transport Security (HSTS) to be configured in Bamboo 10

h3. Issue Summary This is reproducible on Data Center: / Up until Bamboo 9.6, HTTP Strict Transport Security|https://tools.ietf.org/html/rfc6797 was configurable in Bamboo by following the steps outlined in this KB article: How do I enable HSTS and other HTTP Security Headers in Bamboo Data...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2024/01/02 1:22 a.m.22 views

When anonymously accessed, the "Related Labels" section show labels that are tagged on pages in non-anonymous spaces.

h3. Issue Summary When anonymously accessed, the "Related Labels" section shows labels that are tagged on pages in non-anonymous spaces. This is reproducible on the Data Center: yes Pre-condition: 1. Page accessible anonymously has been labelled - e.g. label1 and label2. 2. Page that is not...

7AI score
Exploits0
Atlassian
Atlassian
added 2023/02/09 12:29 p.m.22 views

When Groovy Console Permission level is Only Jira System Admins The Users has Jira Administrator role are not able to add post function except via Run a Groovy script with this transition link

h3. Issue Summary When the permission level is "Only Jira System Admin" and the logged in user has Jira Administrator role, The user is not able to add post function via links except "Run a Groovy script with this transition" link. h3. Steps to Reproduce Login via User who has Jira system admin...

1AI score
Exploits0
Atlassian
Atlassian
added 2022/03/16 4:8 a.m.22 views

REST API Endpoint Leaked private project to unauthorized user

Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint. Affecte...

5.9AI score
Exploits0
Atlassian
Atlassian
added 2021/11/22 8:22 p.m.22 views

A User with no permission to view a Jira issue can see its summary in the "Connected Jira Issues" in the object's view

h3. Issue Summary The "Connected Jira Issues" tab in the Insight Object view does not respect the level of permission provided to the logged in user and displays all connected issues even if that user doesn't have the permission to view them. h3. Steps to Reproduce Create a Jira issue linked to a...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/06/30 3:31 p.m.22 views

Attachment name, in questions/answers, is searchable despite not having Permissions for Questions

h4. Summary The questions plugin allows administrators to restrict its usage to groups/users, similar to Confluence Permissions. Attachments uploaded to these questions/answers can be found by users that do not have Questions Permission. However, while the attachment can be searched and its title...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/03 12:25 p.m.22 views

Removing the Groups from the Accounts>Groups page doesn't remove the references from the Project Permissions page

h3. Issue Summary Removing the Groups from the AccountsGroups page doesn't remove the references from the Project Permissions page and the Global permissions page h3. Steps to Reproduce Create a New group named "newtestgroup" Add a user to the Group Add the Group Access for "newtestgroup" under t...

0.3AI score
Exploits0
Atlassian
Atlassian
added 2020/09/03 11:53 p.m.22 views

A URL to the unknown attachment place-holder utilizes http instead of https when https is configured

h3. Issue Summary A URL to the unknown attachment place-holder utilizes http instead of https when base URL is set to https, and tomcat server.xml scheme is set to https. h3. Steps to Reproduce Create a page and add an attachment to it. Open Attachments page from the view page and remove the...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2020/04/01 4:7 a.m.22 views

Customers created via the Customer Portal do not trigger an email verification

In affected versions of Jira Service Desk Server and Data Centre, it was possible to create customers with fake email addresses via the Customer Portal. This is now resolved with email verification. Affected versions: version 3.16.13 4.0.0 ≤ version 4.5.3 4.6.0 ≤ version 4.7.0 Fixed versions:...

5.4AI score
Exploits0
Atlassian
Atlassian
added 2019/02/21 9:40 p.m.22 views

Turning off audit logging does not result in any logs

h4. Steps to reproduce Enable Bamboo Audit Logging Make a change to confirm Audit Logging is turned on. Disable audit logging h4. Expected Behaviour An Audit log telling who and when turned off audit logging. h4. Observed Behaviour No Audit logs or any other log showing this change. h3. Workaroun...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2018/12/07 5:49 p.m.22 views

Sessions never expire due to continuous XHR

Summary Sessions in Bamboo are supposed to have a default inactivity timeout of 30 minutes see https://confluence.atlassian.com/bamkb/how-to-change-bamboo-user-session-timeout-848977292.html, however regardless of which timeout period is set, sessions never time out if a user doesn't close their...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/08 9:49 p.m.22 views

Request for Marketplace add-on email notifications can be sent to inactive accounts

h4. Summary Users can navigate to the Atlassian Marketplace within Jira and request add-ons to be installed. This will send all groups defined under the Jira Administrators global permission an email notification indicating a particular user has requested a particular add-on. We have observed the...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/01 5:29 a.m.22 views

Our documentation for running Confluence behind a http that terminates https is probably incorrect

Specifically, the https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html page says quote Note: don't include secure="true" in this connector. Make sure you've included correct values for protocol and proxyName. quote which differs from all of our other...

0.6AI score
Exploits0
Atlassian
Atlassian
added 2017/09/28 9:47 p.m.22 views

Email address is not validated when updating user profile

On the view profile page /secure/ViewProfile.jspa it's possible to update your user profile /secure/EditProfile!default.jspa?username=admin to an invalid email address. See attached screenshots. !Screen Shot 2017-09-28 at 2.49.48 PM.png|thumbnail! !Screen Shot 2017-09-28 at 2.49.58...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2017/09/28 4:24 a.m.22 views

jira xml export does not escape label and component values

searchrequest-sml endpoint html encodes issue description text, but not issue labels or component. This means that other plugins / products relying on this end point for these values are vulnerable to XSS attacks, see linked issue. Please html encode these string values ...

6.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/09 2:59 a.m.22 views

Git downloads over HTTP

SourceTree downloads the standalone Git and every other zips over HTTP from the Atlassian servers. This is not secure and should be switched to HTTPS...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2017/06/09 10:59 a.m.22 views

PermissionHelper is sending incorrect data

h3 summary Permissionhelper didn't send right results for user who should be able to change permissions h3.Environment Confluence 6.1.3 h3. Steps to reproduce 1. Create a group in Active Directory named "app-confluence-space-keyuser", and add some users i.e "test" 2. Create a group in Active...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/02 3:55 p.m.22 views

Bitdefender reported virus in Git LFS plugin

!Capture1.PNG!...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2017/05/24 3:23 p.m.22 views

Other SD Projects Knowledge Base are accessible through direct link

h3. Summary: If a Customer only able to access one SD Portal and log in to Confluence, it is actually possible for that Customer to access other SD Project KBs through a Direct URL Link including navigating the space. h3. Steps to Reproduce: Prepare a JIRA instance that is connected to Confluence...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/30 3:39 p.m.22 views

Information Exposure in JUnit Report Macro

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-52112. panel The JUnit Report Macro throws different error messages for the url parameter code:java file:///no/file/herecode...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/21 1:8 a.m.22 views

Administrators should have the ability to restrict access to the System dashboard

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-64165. panel Administrators should have the ability to restrict access to the System dashboard which by default is available to the public...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/19 9:29 a.m.22 views

XSS attack possible on FishEye file history page

The File History page was vulnerable to XSS...

1.3AI score
Exploits0
Total number of security vulnerabilities4295