Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2018/01/12 2:26 a.m.132 views

Cross-site request forgery(CSRF) in the IncomingMailServers resource - CVE-2017-16862

The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.1AI score0.00644EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/07/04 12:7 a.m.131 views

Notifications: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Atlassian Notifications is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function,...

7.2CVSS2.4AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2016/07/14 2:22 p.m.130 views

Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

7.8CVSS1.2AI score0.35927EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/25 4:59 a.m.129 views

Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484

h3. Issue Summary The recently disclosed vulnerability regarding Tomcat|https://nvd.nist.gov/vuln/detail/CVE-2020-9484 affects the following versions: Apache Tomcat 7x 7.0.103 Apache Tomcat 8x 8.5.54 Apache Tomcat 9x 9.0.34 Apache Tomcat 10x 10.0.0-M4 We should bundle a more recent version of...

7CVSS7.1AI score0.56636EPSS
Exploits15
Atlassian
Atlassian
added 2017/08/30 2:12 a.m.129 views

The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an...

6.1CVSS2AI score0.71601EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2013/05/08 1:5 p.m.129 views

Several XSS flaws in the /rest/tinymce/1

I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/12/06 11:56 p.m.128 views

Upgrade OpenSearch to 1.3.7 to mitigate CVE-2022-42889

In BSERV-13534 commons-text usages were upgraded in the Bitbucket Webapp to mitigate against CVE-2022-42889 although Bitbucket WebApp was actually unaffected. The bundled OpenSearch should also be updated to 1.3.7 when it is released. The release date is currently scheduled for 13-Dec-2022:...

9.8CVSS0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2018/12/12 12:25 p.m.128 views

Crowd silently ignores changes to active status of users in Azure AD.

When Crowd synchronises users for the very first time from Azure AD it will recognise "active" state of users correctly. Unfortunately, on next synchronisations Crowd ignores changes to these statuses, so once they are set, they will never change...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/21 12:23 a.m.127 views

Upgrade bundled Tomcat to 6.0.37

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-29345. panel Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version...

6.8CVSS2.4AI score0.11975EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2021/03/11 7:39 p.m.126 views

Tomcat PersistenceManager vulnerabilities - CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center are susceptible to Tomcat PersistenceManager vulnerabilities. Affected versions: ≤ 8.16.0 Fixed versions: pending...

7.5CVSS5.1AI score0.18114EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2019/02/14 7:4 p.m.126 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details...

5.4CVSS3.7AI score0.03401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.126 views

Content spoofing in the attachment resource in the Firefox browser - CVE-2018-13389

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml...

4.7CVSS5.1AI score0.00998EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/17 3:45 a.m.125 views

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Confluence Server and Data Center before version 6.13.11, and from version 6.14.0 before version 7.3.3 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an improper authorization check. See...

4.9CVSS5.2AI score0.01487EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/27 9:43 a.m.124 views

OkHttp Certificate Pinning Vulnerability CVE-2016-2402

h3. Issue Summary Portfolio uses Okhttp 2.2.0 which has an identified vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2016-2402 https://www.securityfocus.com/bid/83296/info https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/ h3. Steps to Reproduce...

5.9CVSS0.2AI score0.02249EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 3:46 a.m.124 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Jira before version 8.4.2 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3.1AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/05 12:43 a.m.124 views

Unauthenticated users can view the content of Confluence blogs and pages (CVE-2017-7415)

The Confluence drafts diff rest resource made the current content of all blogs and pages in Confluence available without authentication by providing a page id or draft id. Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the conten...

7.5CVSS1.2AI score0.04351EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2016/07/14 2:22 p.m.124 views

Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

7.8CVSS1.2AI score0.35927EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/26 7:39 p.m.124 views

Update Tomcat Native DLL in JIRA Installer

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-38927. panel quote 7 new vulnerabilities were announced for OpenSSL on 5 June 2014. These vulnerabilities affect Tomcat Native, which ships...

7.5CVSS2.2AI score0.99999EPSS
Exploits87Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:8 a.m.123 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6Affected Software1
Atlassian
Atlassian
added 2020/01/28 3:52 a.m.123 views

Jira Server Comment Permissions Broken Access Control Bug - CVE-2019-20106

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug...

4.3CVSS6.3AI score0.01191EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/10/07 9:59 a.m.122 views

Jira 8.19.X ships with JDK 11.0.11 which is affected by CVE-2021-2388

h3. Issue Summary Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 : https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5 Quote from doc bq. This vulnerability does not apply to Java...

7.5CVSS6.5AI score0.04008EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/11 6:8 p.m.122 views

The moment.js version 2.9.0 is vulnerable to regular expression denial of service

h3. Issue Summary Bamboo uses moment.js version 2.9.0 which is vulnerable to regular expression denial of service. For additional details see https://github.com/moment/moment/issues/2936 and https://www.npmjs.com/advisories/55. h3. Suggested Solution Upgrade moment.js to version = 2.11.2...

3.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/19 7:0 p.m.122 views

URL Path Traversal in Jira Service Desk Server and Jira Service Desk Data Center Allows Information Disclosure - CVE-2019-14994

A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects...

7.5CVSS1.5AI score0.05876EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/02/04 1:15 a.m.121 views

Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. Affected versions: version...

5.3CVSS5.8AI score0.01244EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/29 9:16 a.m.121 views

About Jira page can be accessed anonymously

h3. Issue Summary "About Jira" page can be accessed anonymously. This can expose the Jira application versions. Some customers might want to prevent this information from being available as it could be used to target other vulnerabilities specific to the version. h3. Steps to Reproduce Access...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/05/23 4:7 a.m.121 views

Incorrect permission check for deployment projects (CVE-2017-8907)

Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan...

8.8CVSS2.4AI score0.01638EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/04/30 9:4 a.m.120 views

The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2020-1935|https://vulners.com/cve/CVE-2020-1935 CVE-2019-17569|https://vulners.com/cve/CVE-2019-17569 CVE-2020-1938|https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2020-1938 Which affects the following...

9.8CVSS8.3AI score0.9927EPSS
Exploits45Affected Software1
Atlassian
Atlassian
added 2019/08/20 1:8 a.m.120 views

Links to Atlassian domains should use HTTPS for the protocol

h3. Summary Currently, all Atlassian links in Jira's footer and perhaps other locations use HTTP, instead of HTTPS. h3.Notes The user is redirected to HTTPS, but the link itself should also be HTTPS to reduce the possibility of tampering. h3.Suggested Solution All links to Atlassian domains shoul...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/04/16 6:32 a.m.120 views

Multiple vulnerabilites in Java 1.7.0_15

The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for...

10CVSS0.3AI score0.07224EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/12 3:49 a.m.118 views

Limited Remote File Read in Jira Software Server - CVE-2021-26086

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1...

7.5CVSS5.1AI score0.99999EPSS
Exploits12Affected Software1
Atlassian
Atlassian
added 2020/05/01 5:16 p.m.118 views

Access to all question drafts in private spaces via API

h3. Issue Summary Questions leak information through private space https://asecurityteam.atlassian.net/browse/BOUNTY-2559 h3. Steps to Reproduce Access to questions in spaces is limited to those users that have access to the space. However, question drafts in a restricted space can be accessed by...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/05 2:12 p.m.118 views

Oracle Security Patched DB Driver Not Working

+Issue Summary+ Following a recent security patch by Oracle for the ojdbc6.jar driver as fix for CVE-2016-3506. p23727132112040Generic.zip, available in Oracle Support download area, applying the patch to Confluence breaks Confluence with Confluence throwing: code Caused by: java.sql.SQLException...

8.1CVSS1.4AI score0.03542EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/23 8:19 a.m.117 views

JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone

h3. Summary JIRA Anonymous User Is Able To Search For Creator Name Via JQL Search Screen|http://localhost:8080/issues/?jql= By Insert Full User Name Even When Browse User Global Permission Doesn't Allow "Anyone". This is definitely not an expected behavior if "Browse User" wasn't set to anyone...

Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/19 6:43 a.m.117 views

Denial of Service attack through vulnerable Xerces-J library

quote There is WebDav endpoint that is accessible via following URL - https://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for PROPFIND request. Following python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002...

7.1CVSS1AI score0.24738EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/02 12:53 a.m.116 views

Remote code execution in workflow import - CVE-2017-18113

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution RCE vulnerability which allowed for various...

8.8CVSS5.9AI score0.01802EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:48 a.m.116 views

User enumeration through the groupuserpicker api resource - CVE-2019-8449

h3. Issue summary The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. h3. Workaround If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in...

5.3CVSS4.1AI score0.84771EPSS
Exploits8Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.116 views

Path traversal through the name of a git tag in the git repository tag rest resource - CVE-2017-18037

The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 the fixed version for 4.14.x, from version 5.0.0 before 5.0.9 the fixed version for 5.0.x, from version 5.1.0 before 5.1.8 the fixed version for 5.1.x, from version 5.2.0 before 5.2.6 the fixed...

6.5CVSS6.3AI score0.01328EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/11/15 10:54 p.m.116 views

Argument injection in Mercurial repository handling - CVE-2017-14590

Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following: create a repository in Bamboo edit an existing plan in Bamboo that has a non-linked Mercurial repository create or edit a plan...

9.6CVSS3.6AI score0.02405EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/07/27 12:52 a.m.115 views

Vulnerable version of Underscore.js used - CVE-2021-23358

Affected versions of Atlassian Jira Server and Data Center used Underscore.js 1.9.1, which was vulnerable to CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358. The affected versions of Atlassian Jira Server and Data Center are before version 8.18.0. Affected versions: version 8.13.10 8.14.0 =...

7.2CVSS5.3AI score0.04087EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2021/04/22 9:11 p.m.115 views

Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2021-25329|https://nvd.nist.gov/vuln/detail/CVE-2021-25329 and CVE-2021-25122|https://nvd.nist.gov/vuln/detail/CVE-2021-25122. The affected versions are before version 8.17.0. ...

7.5CVSS5.3AI score0.18114EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2020/03/23 1:50 a.m.115 views

DoS through Jira Gadget API - CVE-2019-20899

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. Affected versions: version 8.5.4 8.6.0 Fixed versions: This is fixed in versions 8.5.4, 8.6.1 and 8.7.0...

5.3CVSS6.3AI score0.02139EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/01 4:1 a.m.112 views

CSRF via Logging and Profiling feature - CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.3 8.0.0 ≤ version 8.1.0 Fixed versions: 7.13.3 8.1.0...

4.3CVSS6.8AI score0.00623EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/23 4:49 a.m.112 views

The bundled Atlassian Universal Plugin Manager plugin had a CSRF issue - CVE-2019-14999

The version of the bundled Atlassian Universal Plugin Manager plugin had a CSRF vulnerability that allowed remote attackers, through an administrator, uninstall plugins through a rest endpoint. See https://ecosystem.atlassian.net/browse/UPM-6044 for more details...

4.3CVSS5AI score0.00555EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/17 2:15 a.m.112 views

Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865

The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access...

5.3CVSS5.1AI score0.00689EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/22 1:47 a.m.111 views

Information disclosure in System Administration - Global Permissions - CVE-2019-20898

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. Affected versions: version = 8.5.12: Enable feature...

7.5CVSS4.8AI score0.01304EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:59 a.m.111 views

CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port port 5466...

9.8CVSS4.6AI score0.02976EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/18 4:53 a.m.111 views

CVE-2015-5603: HipChat for JIRA plugin - Velocity Template Injection

We internally discovered that the HipChat For JIRA plugin had a resource that combined user input into a velocity template source and subsequently rendered it. Authenticated attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of the...

6.5CVSS1.2AI score0.59312EPSS
Exploits7Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.110 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Confluence before version 6.13.6, from version 6.14.0 before version 6.15.5, and from version 7.0.0 before 7.0.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See...

4.3CVSS2.3AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/09 2:59 a.m.110 views

Git downloads over HTTP

SourceTree downloads the standalone Git and every other zips over HTTP from the Atlassian servers. This is not secure and should be switched to HTTPS...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/27 3:55 a.m.109 views

RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114

A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6,...

8.8CVSS6.2AI score0.01657EPSS
Exploits0
Total number of security vulnerabilities4295