Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2019/03/21 12:52 a.m.138 views

The version of moment.js used in Jira Service Desk was vulnerable to a regular expression denial of service

The version of moment.js used in Jira Service Desk Server before version 4.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/06/03 3:47 a.m.137 views

Changing public flag in Repository Permissions does not reflect on mirrors

h3. Issue Summary When Public flag is enabled/disabled for a mirrored repository, it doesn't sync on corresponding mirrors. h3. Steps to Reproduce Setup BbS Mirror and approve it on upstream. Create a repository in some project, let's say Project A, and set Public flag as Enabled in Repository...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/11/17 1:44 a.m.136 views

Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 7.21.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS7AI score0.10448EPSS
Exploits0
Atlassian
Atlassian
added 2022/07/08 5:6 p.m.136 views

Questions For Confluence App - Hardcoded Password

i Update: This advisory has been updated since its original publication. 2022/08/01 12:00 PM PDT Pacific Time, -7 hours color:172b4dUpdated the Remediation section to note that if the disabledsystemuser account is manually deleted, the app must also be updated or uninstalled to ensure the account...

9.8CVSS1AI score0.9817EPSS
Exploits1
Atlassian
Atlassian
added 2020/03/23 1:50 a.m.136 views

DoS through Jira Gadget API - CVE-2019-20899

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. Affected versions: version 8.5.4 8.6.0 Fixed versions: This is fixed in versions 8.5.4, 8.6.1 and 8.7.0...

5.3CVSS6.3AI score0.02139EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/17 10:21 p.m.135 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6Affected Software1
Atlassian
Atlassian
added 2021/08/04 2:52 p.m.134 views

Vulnerable version of XStream used in Jira Server and Data Center - CVE-2021-29505

Affected versions of Atlassian Jira Server and Data Center used versions of XStream that were vulnerable to security exploits including CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html. The affected versions of Jira Server and Data Center are before version 8.18.0. Affected versions:...

8.8CVSS5AI score0.77735EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/08/23 4:49 a.m.134 views

The bundled Atlassian Universal Plugin Manager plugin had a CSRF issue - CVE-2019-14999

The version of the bundled Atlassian Universal Plugin Manager plugin had a CSRF vulnerability that allowed remote attackers, through an administrator, uninstall plugins through a rest endpoint. See https://ecosystem.atlassian.net/browse/UPM-6044 for more details...

4.3CVSS5AI score0.00555EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/11 3:26 p.m.133 views

Upgrade moment library to 2.29.2+ as required for CVE-2022-24785 and CVE-2022-31129

Hi, Is it possible to upgrade the moment.js library to 2.29.2 on all Jira SM versions? It seems fixed in for Jira SW as mentioned https://jira.atlassian.com/browse/JRASERVER-75017 In JSM it is still discovered as a vulnerability...

7.5CVSS7.3AI score0.05664EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2022/07/04 12:7 a.m.133 views

Notifications: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Atlassian Notifications is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function,...

7.2CVSS2.4AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2021/02/02 9:59 a.m.133 views

Update jQuery to avoid CVE-2020-11022 and CVE-2020-11023

Affected versions of Atlassian Jira Server and Data Center use a version of jQuery that is vulnerable to CVE-2020-11022 and CVE-2020-11023. These allow an unauthenticated attacker to inject Javascript into the application via Cross-Site Scripting XSS vulnerabilities. The affected versions are...

6.9CVSS6.2AI score0.99019EPSS
Exploits11
Atlassian
Atlassian
added 2019/03/21 12:46 a.m.133 views

The version of moment.js used in Jira was vulnerable to a regular expression denial of service

The version of moment.js used in in Jira before version 7.12.3, from version 7.13.0 before version 7.13.1 and before version 8.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/14 2:22 p.m.133 views

Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

7.8CVSS1.2AI score0.35927EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/25 4:59 a.m.132 views

Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484

h3. Issue Summary The recently disclosed vulnerability regarding Tomcat|https://nvd.nist.gov/vuln/detail/CVE-2020-9484 affects the following versions: Apache Tomcat 7x 7.0.103 Apache Tomcat 8x 8.5.54 Apache Tomcat 9x 9.0.34 Apache Tomcat 10x 10.0.0-M4 We should bundle a more recent version of...

7CVSS7.1AI score0.56636EPSS
Exploits15
Atlassian
Atlassian
added 2020/04/22 1:50 a.m.132 views

Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. Affected versions version 8.8.0 Fixed versions 8.8.0...

6.5CVSS6.9AI score0.01024EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/17 2:15 a.m.130 views

Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865

The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access...

5.3CVSS5.1AI score0.00689EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/08/30 2:12 a.m.130 views

The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an...

6.1CVSS2AI score0.71601EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2013/05/08 1:5 p.m.130 views

Several XSS flaws in the /rest/tinymce/1

I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/12/12 12:25 p.m.130 views

Crowd silently ignores changes to active status of users in Azure AD.

When Crowd synchronises users for the very first time from Azure AD it will recognise "active" state of users correctly. Unfortunately, on next synchronisations Crowd ignores changes to these statuses, so once they are set, they will never change...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/12/06 11:56 p.m.128 views

Upgrade OpenSearch to 1.3.7 to mitigate CVE-2022-42889

In BSERV-13534 commons-text usages were upgraded in the Bitbucket Webapp to mitigate against CVE-2022-42889 although Bitbucket WebApp was actually unaffected. The bundled OpenSearch should also be updated to 1.3.7 when it is released. The release date is currently scheduled for 13-Dec-2022:...

9.8CVSS0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2021/03/11 7:39 p.m.128 views

Tomcat PersistenceManager vulnerabilities - CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center are susceptible to Tomcat PersistenceManager vulnerabilities. Affected versions: ≤ 8.16.0 Fixed versions: pending...

7.5CVSS5.1AI score0.18114EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2014/06/26 7:39 p.m.128 views

Update Tomcat Native DLL in JIRA Installer

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-38927. panel quote 7 new vulnerabilities were announced for OpenSSL on 5 June 2014. These vulnerabilities affect Tomcat Native, which ships...

7.5CVSS2.2AI score0.99999EPSS
Exploits88Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.127 views

Content spoofing in the attachment resource in the Firefox browser - CVE-2018-13389

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml...

4.7CVSS5.1AI score0.00998EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/14 7:4 p.m.126 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details...

5.4CVSS3.7AI score0.03401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/18 4:53 a.m.126 views

CVE-2015-5603: HipChat for JIRA plugin - Velocity Template Injection

We internally discovered that the HipChat For JIRA plugin had a resource that combined user input into a velocity template source and subsequently rendered it. Authenticated attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of the...

6.5CVSS1.2AI score0.59312EPSS
Exploits7Affected Software1
Atlassian
Atlassian
added 2020/08/11 6:8 p.m.125 views

The moment.js version 2.9.0 is vulnerable to regular expression denial of service

h3. Issue Summary Bamboo uses moment.js version 2.9.0 which is vulnerable to regular expression denial of service. For additional details see https://github.com/moment/moment/issues/2936 and https://www.npmjs.com/advisories/55. h3. Suggested Solution Upgrade moment.js to version = 2.11.2...

3.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/17 3:45 a.m.125 views

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Confluence Server and Data Center before version 6.13.11, and from version 6.14.0 before version 7.3.3 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an improper authorization check. See...

4.9CVSS5.2AI score0.01487EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/14 2:22 p.m.125 views

Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

7.8CVSS1.2AI score0.35927EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:8 a.m.124 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6Affected Software1
Atlassian
Atlassian
added 2020/02/05 4:3 p.m.124 views

CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerat...

4.3CVSS2.8AI score0.00743EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/01/12 4:33 a.m.124 views

XSS through the orderby parameter in the issue search resource - CVE-2017-16864

The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the orderby parameter...

6.1CVSS5.7AI score0.01165EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/05 12:43 a.m.124 views

Unauthenticated users can view the content of Confluence blogs and pages (CVE-2017-7415)

The Confluence drafts diff rest resource made the current content of all blogs and pages in Confluence available without authentication by providing a page id or draft id. Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the conten...

7.5CVSS1.2AI score0.04387EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2021/02/04 1:15 a.m.123 views

Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. Affected versions: version...

5.3CVSS5.8AI score0.01244EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/01 4:1 a.m.123 views

CSRF via Logging and Profiling feature - CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.3 8.0.0 ≤ version 8.1.0 Fixed versions: 7.13.3 8.1.0...

4.3CVSS6.8AI score0.00623EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/19 7:0 p.m.123 views

URL Path Traversal in Jira Service Desk Server and Jira Service Desk Data Center Allows Information Disclosure - CVE-2019-14994

A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects...

7.5CVSS1.5AI score0.05876EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/04/29 4:2 a.m.123 views

Information disclosure in the ManageFilters.jspa resource - CVE-2019-3401

The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.3AI score0.12719EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/10/07 9:59 a.m.122 views

Jira 8.19.X ships with JDK 11.0.11 which is affected by CVE-2021-2388

h3. Issue Summary Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 : https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5 Quote from doc bq. This vulnerability does not apply to Java...

7.5CVSS6.5AI score0.04008EPSS
Exploits0
Atlassian
Atlassian
added 2020/02/21 8:37 a.m.122 views

Upgrade Bouncy Castle to fix multiple CVEs

h3. Issue Summary Jira uses Bouncy Castle library in version 1.50 that's vulnerable to 10 CVEs: https://www.cvedetails.com/cve/CVE-2015-7940/ https://www.cvedetails.com/cve/CVE-2016-1000338/ https://www.cvedetails.com/cve/CVE-2016-1000339/ https://www.cvedetails.com/cve/CVE-2016-1000341/...

7.5CVSS1.6AI score0.0482EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/26 7:31 a.m.122 views

JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...

5.9CVSS2.2AI score0.016EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/04/30 9:4 a.m.121 views

The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2020-1935|https://vulners.com/cve/CVE-2020-1935 CVE-2019-17569|https://vulners.com/cve/CVE-2019-17569 CVE-2020-1938|https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2020-1938 Which affects the following...

9.8CVSS8.3AI score0.9927EPSS
Exploits45Affected Software1
Atlassian
Atlassian
added 2020/04/29 9:16 a.m.121 views

About Jira page can be accessed anonymously

h3. Issue Summary "About Jira" page can be accessed anonymously. This can expose the Jira application versions. Some customers might want to prevent this information from being available as it could be used to target other vulnerabilities specific to the version. h3. Steps to Reproduce Access...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/05/23 4:7 a.m.121 views

Incorrect permission check for deployment projects (CVE-2017-8907)

Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan...

8.8CVSS2.4AI score0.01638EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/04/22 1:47 a.m.120 views

Information disclosure in System Administration - Global Permissions - CVE-2019-20898

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. Affected versions: version = 8.5.12: Enable feature...

7.5CVSS4.8AI score0.01304EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/20 1:8 a.m.120 views

Links to Atlassian domains should use HTTPS for the protocol

h3. Summary Currently, all Atlassian links in Jira's footer and perhaps other locations use HTTP, instead of HTTPS. h3.Notes The user is redirected to HTTPS, but the link itself should also be HTTPS to reduce the possibility of tampering. h3.Suggested Solution All links to Atlassian domains shoul...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/11/15 10:54 p.m.120 views

Argument injection in Mercurial repository handling - CVE-2017-14590

Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following: create a repository in Bamboo edit an existing plan in Bamboo that has a non-linked Mercurial repository create or edit a plan...

9.6CVSS3.6AI score0.02405EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2015/04/16 6:32 a.m.120 views

Multiple vulnerabilites in Java 1.7.0_15

The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for...

10CVSS0.3AI score0.07224EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/02 4:28 a.m.119 views

Stored XSS in Add Field module - CVE-2019-20900

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the Add Field module. Affected versions: version 8.7.0 Fixed versions: 8.7.0...

4.8CVSS5.2AI score0.00918EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:14 a.m.119 views

XSS in WallboardServlet through the cyclePeriod parameter - CVE-2018-20824

The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the cyclePeriod parameter...

6.1CVSS4.2AI score0.37577EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/07 10:17 p.m.119 views

The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability XSS. See https://ecosystem.atlassian.net/browse/UPM-5871 for more details...

5.4CVSS1.5AI score0.00591EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/27 12:52 a.m.118 views

Vulnerable version of Underscore.js used - CVE-2021-23358

Affected versions of Atlassian Jira Server and Data Center used Underscore.js 1.9.1, which was vulnerable to CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358. The affected versions of Atlassian Jira Server and Data Center are before version 8.18.0. Affected versions: version 8.13.10 8.14.0 =...

7.2CVSS5.3AI score0.04087EPSS
Exploits2Affected Software1
Total number of security vulnerabilities4295