4295 matches found
Team Calendars is not loading Jira Agile Sprint Events
h3. Issue Summary Team Calendars is not loading Jira Agile Sprint Events This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 8.4.0 and Jira 9.9.1 Set up application link and sample Jira project Add Jira Agile Event h3. Expected Results Expect Jira Agile Events to...
When Groovy Console Permission level is Only Jira System Admins The Users has Jira Administrator role are not able to add post function except via Run a Groovy script with this transition link
h3. Issue Summary When the permission level is "Only Jira System Admin" and the logged in user has Jira Administrator role, The user is not able to add post function via links except "Run a Groovy script with this transition" link. h3. Steps to Reproduce Login via User who has Jira system admin...
A User with no permission to view a Jira issue can see its summary in the "Connected Jira Issues" in the object's view
h3. Issue Summary The "Connected Jira Issues" tab in the Insight Object view does not respect the level of permission provided to the logged in user and displays all connected issues even if that user doesn't have the permission to view them. h3. Steps to Reproduce Create a Jira issue linked to a...
Audit Logs Store LDAP Password in Plain Text
h3. Problem In Confluence, when an external LDAP directory is created/modified, Audit logs store the LDAP connection password as plain text. h3. Environment 7.4.x . h3. Steps to Reproduce 1. In Confluence, create or modify a directory as Microsoft Active Directory, Crowd, Jira etc 2. After...
Removing the Groups from the Accounts>Groups page doesn't remove the references from the Project Permissions page
h3. Issue Summary Removing the Groups from the AccountsGroups page doesn't remove the references from the Project Permissions page and the Global permissions page h3. Steps to Reproduce Create a New group named "newtestgroup" Add a user to the Group Add the Group Access for "newtestgroup" under t...
A URL to the unknown attachment place-holder utilizes http instead of https when https is configured
h3. Issue Summary A URL to the unknown attachment place-holder utilizes http instead of https when base URL is set to https, and tomcat server.xml scheme is set to https. h3. Steps to Reproduce Create a page and add an attachment to it. Open Attachments page from the view page and remove the...
Customers created via the Customer Portal do not trigger an email verification
In affected versions of Jira Service Desk Server and Data Centre, it was possible to create customers with fake email addresses via the Customer Portal. This is now resolved with email verification. Affected versions: version 3.16.13 4.0.0 ≤ version 4.5.3 4.6.0 ≤ version 4.7.0 Fixed versions:...
Time logged shown on Activity Stream gadget.
h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream and this shows the time logged by a user even if the user that is logged in is not part of the group. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility...
Turning off audit logging does not result in any logs
h4. Steps to reproduce Enable Bamboo Audit Logging Make a change to confirm Audit Logging is turned on. Disable audit logging h4. Expected Behaviour An Audit log telling who and when turned off audit logging. h4. Observed Behaviour No Audit logs or any other log showing this change. h3. Workaroun...
Request for Marketplace add-on email notifications can be sent to inactive accounts
h4. Summary Users can navigate to the Atlassian Marketplace within Jira and request add-ons to be installed. This will send all groups defined under the Jira Administrators global permission an email notification indicating a particular user has requested a particular add-on. We have observed the...
Our documentation for running Confluence behind a http that terminates https is probably incorrect
Specifically, the https://confluence.atlassian.com/doc/running-confluence-behind-nginx-with-ssl-858772080.html page says quote Note: don't include secure="true" in this connector. Make sure you've included correct values for protocol and proxyName. quote which differs from all of our other...
Email address is not validated when updating user profile
On the view profile page /secure/ViewProfile.jspa it's possible to update your user profile /secure/EditProfile!default.jspa?username=admin to an invalid email address. See attached screenshots. !Screen Shot 2017-09-28 at 2.49.48 PM.png|thumbnail! !Screen Shot 2017-09-28 at 2.49.58...
jira xml export does not escape label and component values
searchrequest-sml endpoint html encodes issue description text, but not issue labels or component. This means that other plugins / products relying on this end point for these values are vulnerable to XSS attacks, see linked issue. Please html encode these string values ...
Git downloads over HTTP
SourceTree downloads the standalone Git and every other zips over HTTP from the Atlassian servers. This is not secure and should be switched to HTTPS...
PermissionHelper is sending incorrect data
h3 summary Permissionhelper didn't send right results for user who should be able to change permissions h3.Environment Confluence 6.1.3 h3. Steps to reproduce 1. Create a group in Active Directory named "app-confluence-space-keyuser", and add some users i.e "test" 2. Create a group in Active...
Bitdefender reported virus in Git LFS plugin
!Capture1.PNG!...
Other SD Projects Knowledge Base are accessible through direct link
h3. Summary: If a Customer only able to access one SD Portal and log in to Confluence, it is actually possible for that Customer to access other SD Project KBs through a Direct URL Link including navigating the space. h3. Steps to Reproduce: Prepare a JIRA instance that is connected to Confluence...
Information Exposure in JUnit Report Macro
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-52112. panel The JUnit Report Macro throws different error messages for the url parameter code:java file:///no/file/herecode...
Administrators should have the ability to restrict access to the System dashboard
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-64165. panel Administrators should have the ability to restrict access to the System dashboard which by default is available to the public...
XSS attack possible on FishEye file history page
The File History page was vulnerable to XSS...
Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file
Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...
Non-admin User Should not be able to see all users/groups in drop down
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Portfolio Server. Using JIRA Portfolio Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JPOCLOUD-1781. panel h3. Summary In Plan configuration Permissions Plan access. Non-admin users can try to add Viewers and see all...
XSS in pull request inbox
A potential XSS issue was identified in the pull request inbox, and has been fixed in Bitbucket Server 4.12.1...
Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-45392. panel For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets t...
Secure SSL flag does not work when using Delegated LDAP
h3. Summary The Secure SSL flag under the Advanced Settings section in the LDAP settings does not work when using Delegated LDAP/Internal with LDAP Authentication in JIRA. h3. Steps to Reproduce Add a Delegated LDAP AD in JIRA Checking the Secure SSL checkbox and hit the Save and Test button if w...
Issue Security Scheme Changes Are Not Reported In Audit Log
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-62187. panel h3. Summary When a change is made to an issue security scheme, nothing is logged in the Audit Log. This means that an...
XSS in newFileName Field
From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...
The "Restrict to articles with labels" option doesn't restrict the customer portal from suggesting KB's other than those with the nominated Label
h3. Summary Currently we have the "Restrict to articles with labels", where you can specify the label for a request. When a customer is filling the summary for a request, SD will search the knowledge base for similar content from confluence pages with that label. However, the customer portal sear...
Permission issues with projects and reviews
There are 2 issues related to permission schema. They were grouped together into a single issue, marked with a security label. h4. Issue 1 User visited in the past Project A. Also he has visited a review raised in Project A. FeCru allows him to access those recent items using the menu on top...
Security Issue with multimedia playback on Mac OSX
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-41124. panel Currently your multimedia playback method uses an older and insecure method. I had to reinstate old plugins to mak...
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
Customer can see Internal Comment created by Automation Action
h5. Environment - run JIRA from atlas-debug - JIRA 7.0.5 - JIRA Service Desk 3.0.5 h5. Steps to reproduce Create Service Desk project go to Administration - Automation tab click New rule - Custom rule add Trigger Issue Created add Action Add comment put some Comment text and select Internal as...
Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances
Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...
Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances
Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...
One FishEye admin can get access to repository password provided by another admin
It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...
Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
Crowd is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issue can be...
Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
Crowd is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issue can be...
Backup action is XSRF vulnerable
XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...
Backup action is XSRF vulnerable
XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...
Backup action is XSRF vulnerable
XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...
XSS in review file paths
We have identified a XSS vulnerability introduced in Crucible 3.9.0. Fix was included in 3.9.1 version released publicly on September 10th, 2015...
Prevent Activity feed information leakage by allowing permanently disabling of it
It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances, internal and external, which are connected one to another. Having them connected is clearly a business requirement for being able to cross link issues and to copy them...
Migrating JIRA/Confluence from Cloud to Cloud reactivates inactive users
h3. Summary Admin migrated a Cloud instance of JIRA/Confluence to a new base URL. During the migration to the new JIRA/Confluence instance, inactive users became active. h3. Environment JIRA Cloud Confluence Cloud h3. Steps to Reproduce Create a user in JIRA Cloud Deactive user. Make inactive...
SEN available in HTTP Response headers
Cloned from JRA-45188 h3. Summary Seems we're giving away our Support Entitlement Numbers SEN in our HTTP response headers. Risk here is that users who obtain these can then get free support in SAC. h3. Environment JIRA and Confluence Server JIRA and Confluence Cloud Potentially other apps h3...
Use integrated Windows Auth for Proxy Authentication
Hi, I'm looking to secure access to the internet via an authenticated proxy and would like to avoid username passwords within init strings. https://confluence.atlassian.com/display/JIRAKB/How+to+Configure+an+Outbound+HTTP+and+HTTPS+Proxy+for+JIRA describes a scenario where this may be possible,...
Use integrated Windows Auth for Proxy Authentication
Hi, I'm looking to secure access to the internet via an authenticated proxy and would like to avoid username passwords within init strings. https://confluence.atlassian.com/display/JIRAKB/How+to+Configure+an+Outbound+HTTP+and+HTTPS+Proxy+for+JIRA describes a scenario where this may be possible,...
Disabled Users Receive Notification from Team Calendar
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48834. panel h3. Summary Confluence disabled users that subscribed to a calendar still receive notifications when calendar have...
As a Confluence Administrator, I would like to configure the 'Attachment Download Security Policy' on a per space basis
h3. Problem Definition As a Confluence Administrator, I would like to configure the 'Attachment Download Security Policy' on a per space basis. At the moment, the setting is applied at a global basis, which does not work if you want attachments to be downloaded/displayed inline depending on the...
Users with only View Space permission are able to edit Space Questions
h2. Problem Summary Users are able to edit any Space Questions as long as they have View permissions for that space. This includes questions asked by other users. Users do not need to have Space Admin or even Add/Edit Page permissions to the space, only View is required. This is inconsistent when...
Advanced JQL Search does not Respect User email visibility Hidden
h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...