Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2022/10/19 1:22 p.m.•21 views

Attachments that are added to drafts while collaborative editing is off are searchable when collaborative editing is turned on

h3. Issue Summary This is reproducible on Data Center: yes h3. Steps to Reproduce Turn OFF collaborative editing Create a page Add attachment to the page Do not publish the page Try searching for the draft or attachment Enable Collaborative Editing Perform Reindexing Try searching for the draft o...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2021/11/22 8:22 p.m.•21 views

A User with no permission to view a Jira issue can see its summary in the "Connected Jira Issues" in the object's view

h3. Issue Summary The "Connected Jira Issues" tab in the Insight Object view does not respect the level of permission provided to the logged in user and displays all connected issues even if that user doesn't have the permission to view them. h3. Steps to Reproduce Create a Jira issue linked to a...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2021/07/29 9:23 a.m.•21 views

Audit Logs Store LDAP Password in Plain Text

h3. Problem In Confluence, when an external LDAP directory is created/modified, Audit logs store the LDAP connection password as plain text. h3. Environment 7.4.x . h3. Steps to Reproduce 1. In Confluence, create or modify a directory as Microsoft Active Directory, Crowd, Jira etc 2. After...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2021/06/14 8:11 p.m.•21 views

Upgrade bundled Java to 8u292+

Currently our latest available Jira version includes AdoptOpenJDK 1.8.0275, which does not include a fix for the following vulnerabilities: https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20 It affects AdoptOpenJDK up to 1.8.0282, so we should bundle Jira with AdoptOpenJDK 1.8.02...

2.7AI score
Exploits0
Atlassian
Atlassian
•added 2020/09/03 11:53 p.m.•21 views

A URL to the unknown attachment place-holder utilizes http instead of https when https is configured

h3. Issue Summary A URL to the unknown attachment place-holder utilizes http instead of https when base URL is set to https, and tomcat server.xml scheme is set to https. h3. Steps to Reproduce Create a page and add an attachment to it. Open Attachments page from the view page and remove the...

0.5AI score
Exploits0
Atlassian
Atlassian
•added 2020/07/03 10:15 a.m.•21 views

Anonymous user able to access some agile board's report configuration

h3. Issue Summary When someone who did not login to Jira tried to access direct URL to Average Age Report, the user will be shown Configure - Average Age Report page instead of Jira asking the user to login. h3. Steps to Reproduce Copy the full URL to an Average Age Report Eg:...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2019/08/09 12:46 p.m.•21 views

Time logged shown on Activity Stream gadget.

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream and this shows the time logged by a user even if the user that is logged in is not part of the group. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2019/08/06 2:4 p.m.•21 views

Linking image renders image as HTTP instead of HTTPS

h3. Issue Summary Linking existing image on Confluence page will appear as broken image due to mix content. The request url is rendered with HTTP instead of HTTPS. h3. Steps to Reproduce Create/edit a page. Click + and select Files and images. Attach an image to the page. Click on image and then...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2019/03/13 12:45 p.m.•21 views

Embedded 7z vulnerable with a cvs score of 10

The embedded 7zip version is vulnerable. Please update...

2.3AI score
Exploits0
Atlassian
Atlassian
•added 2017/12/01 4:16 p.m.•21 views

Users with 'Plan Admin' privileges can change Project Name

h3. Summary Users whom have Plan level Admin privileges, but not Project level Admin privileges are able to change the Project name from /chain/admin/config/editChainDetails.action?buildKey=\projkey-\plankey h3. Steps to Reproduce h1. Step 1 Create Project with key TSTPR Create Plan within TSTPR...

3.6AI score
Exploits0
Atlassian
Atlassian
•added 2017/01/19 9:28 a.m.•21 views

Update application-links to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/19 9:28 a.m.•21 views

Update application-links to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2017/01/18 5:47 p.m.•21 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0
Atlassian
Atlassian
•added 2017/01/17 11:37 p.m.•21 views

hipchat server not supporting SSL Forward Secrecy

Security scans report that hipchat server isn't supporting SSL Forward Secrecy. HipChat Server supports TLSRSAWITHAES128CBCSHA256 which isn't forward secret. This is commonly supported for backwards compatibility, but, it is most likely not necessary on most platforms these days. Please consider...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/04 11:36 p.m.•21 views

XSS in pull request inbox

A potential XSS issue was identified in the pull request inbox, and has been fixed in Bitbucket Server 4.12.1...

1.7AI score
Exploits0
Atlassian
Atlassian
•added 2016/11/09 11:9 a.m.•21 views

User Management - Space View and Edit Control

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-45194. panel With our Confluence users linking to LDAP, it is difficult having to create and delete groups to control permission...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/03 6:49 p.m.•21 views

"Allowed review participants" isn't restricting the scope for groups

h3. Summary The "Allowed review participants" option in the project settings isn't restricting the scope for groups when searching for reviewers to be added to a review, therefore all the groups are listed, even the ones not included as allowed groups. h3. Environment Tested on Crucible 4.2.0 h3...

2.5AI score
Exploits0
Atlassian
Atlassian
•added 2016/11/02 7:29 a.m.•21 views

SECURITY: Update application-links in JIRA Server to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case JIRA server would update application-links from version 5.2.3 to version 5.2.4...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/07/19 7:11 p.m.•21 views

XSS in Mail Whitelist Field

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61963. panel Jira Admins can create a persistant XSS on the Incoming Mail configuration page. When the value code "alert1 code is inserted...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/05/31 3:21 a.m.•21 views

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

1.1AI score
Exploits0
Atlassian
Atlassian
•added 2016/03/02 3:36 p.m.•21 views

Responses with Set-Cookie header cached

h3. Context We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get the Crowd...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/03/01 11:1 a.m.•21 views

As an administrator I want to be able to configure whether XSS protection should apply to requirements or not

h3. Problem Definition For XSS protection, certain "dangerous" characters are not allowed for input in many fields in Bamboo, including for requirements. One such character is the ampersand &, which can be used for logical AND expressions such as "a && b" for "a AND b". At the moment, because XSS...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/01/07 11:34 a.m.•21 views

Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances

Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/01/07 11:30 a.m.•21 views

Stronger algorithm used to digest instance admin password

Let's use PKCS5S2...

2.3AI score
Exploits0
Atlassian
Atlassian
•added 2016/01/07 11:29 a.m.•21 views

Stronger algorithm used to digest instance admin password

Let's use PKCS5S2...

2.3AI score
Exploits0
Atlassian
Atlassian
•added 2015/12/22 10:57 a.m.•21 views

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/12/04 6:16 a.m.•21 views

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/12/01 10:54 a.m.•21 views

It is possible to access the list of patches in a review and their content by unprivileged users

We've discovered and fixed a security issue, where the attacker could using the REST API: access the list of patches in a review their filename, database id upload date and anchor details without authentication access the patch content for any review as long as he had view access to any other...

4.9AI score
Exploits0
Atlassian
Atlassian
•added 2015/10/27 2:47 a.m.•21 views

XSRF check failure when trying to add a logo to a topic

h3. Steps to reproduce Create a topic in Confluence Questions. Select an image as a logo. Click Done. h3. Expected results The topic is created with the chosen logo. h3. Actual results The topic is created, but with the default tag logo. h3. Notes The same thing occurs when trying to add a logo t...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/10/01 8:59 a.m.•21 views

Prevent Activity feed information leakage by allowing permanently disabling of it

It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances, internal and external, which are connected one to another. Having them connected is clearly a business requirement for being able to cross link issues and to copy them...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/08/05 2:47 a.m.•21 views

Use integrated Windows Auth for Proxy Authentication

Hi, I'm looking to secure access to the internet via an authenticated proxy and would like to avoid username passwords within init strings. https://confluence.atlassian.com/display/JIRAKB/How+to+Configure+an+Outbound+HTTP+and+HTTPS+Proxy+for+JIRA describes a scenario where this may be possible,...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/08/05 2:47 a.m.•21 views

Use integrated Windows Auth for Proxy Authentication

Hi, I'm looking to secure access to the internet via an authenticated proxy and would like to avoid username passwords within init strings. https://confluence.atlassian.com/display/JIRAKB/How+to+Configure+an+Outbound+HTTP+and+HTTPS+Proxy+for+JIRA describes a scenario where this may be possible,...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2015/08/05 1:18 a.m.•21 views

Username enumeration through the username parameter to the ViewUserHover resource.

It is possible to enumerate usernames through the secure/ViewUserHover resource through the username parameter. JIRA leaks the existence of a username by showing your entire name. 1. Log out of JIRA 2. Go to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/18 10:7 p.m.•21 views

Content Spoofing in AppPortalPage

A third party scan found that the ConvertIssue.jspa action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users. How to reproduce:...

0.5AI score
Exploits0
Atlassian
Atlassian
•added 2015/06/08 11:4 a.m.•21 views

"JIRA Project Releases" event should respect Project's permissions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48963. panel Adding "JIRA Project Releases" event type to the Team calendar seems to NOT respect permissions from the project. I...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/03 7:44 p.m.•21 views

Users with only View Space permission are able to edit Space Questions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46923. panel h2. Problem Summary Users are able to edit any Space Questions as long as they have View permissions for that space...

1.4AI score
Exploits0
Atlassian
Atlassian
•added 2015/05/13 11:2 p.m.•21 views

Space permissions ignored in list of blog posts by date

h3. Summary Users have the ability to view a list of all blog posts, even from spaces in which they don't have permission to access. h3. Steps to Reproduce Install Confluence 5.7.x Create two spaces Space A Space B remove all permissions for confluence-users Create a blog post in Space A Create a...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/03/25 1:19 p.m.•21 views

Sensitive information displayed in anonymous REST API calls

h4. Expected behavior Block sensitive information from being displayed on anonymous REST API calls in JIRA. h4. Actual behavior Users' full-name are displayed when running the calls below: noformat /user/picker?query= /groupuserpicker?query=ali&showAvatar noformat Default fields and custom fields...

0.6AI score
Exploits0
Atlassian
Atlassian
•added 2015/03/18 3:28 a.m.•21 views

Project avatar resource vulnerable to XSRF

The project avatar resource accepts content type of MULTIPARTFORMDATA so a malicious attacker could use javascript to submit a form from a foreign host to a stash server and trick the user into changing the project avatar in Stash. cc David Black Atlassian - is there any reason why panopticon fou...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2015/02/26 1:52 p.m.•21 views

Member of confluence-administrators group able to see restricted page in pagetree, quick search and navigation panel

Bug Background Confluence super-users or member of confluence-administrators group should be able to access any content in Confluence including restricted content as long as it have the direct URL to access as describe in our documentation...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/02/07 12:44 a.m.•21 views

Application Navigator shows full list of links, including restricted ones

If a user has access to JIRA, but not Confluence, and try to go to a Confluence page, the access error page itself will have the hamburger menu with a full, unrestricted list of all links set up. We have a couple links pointing to code repositories and an older, archived issue tracker. The former...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/01/14 6:29 p.m.•21 views

Sanitize passwords when Network Traffic debugging is enabled

Login attempts for users managed externally i.e. JIRA/Crowd logs the user's password in FishEye logs if the Network Traffic is enabled. I think the password should be sanitized, because: This information is generally not important for troubleshooting of most issues. Users would have sensitive...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/12/19 2:48 p.m.•21 views

Information disclosure - full path disclosure

Jira displays charts on the dashboard by writting a temporary file in Jira "tmp" folder and reading it through a page called "charts" When the filename provided to this page is not present, an error message displays the full path to the "tmp" folder, which lies in Jira directory. This is a...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/12/18 3:30 a.m.•21 views

Use of atlassian-whitelist plugin allows CORS access to origins which it should not

The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/12/18 3:30 a.m.•21 views

Use of atlassian-whitelist plugin allows CORS access to origins which it should not

The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...

6.7AI score
Exploits0
Atlassian
Atlassian
•added 2014/12/02 7:41 a.m.•21 views

XSS vulnerability in "children" macro when displaying excerpts

Create a parent page A with a child page B - Add an \excerpt\ macro to B containing the text alert"Gotcha!"; - Add the \children\ macro to page A, with "Show excerpts" checked - Alert is shown when viewing A This is currently present on EAC - likely to be in released versions; not tested yet...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/24 7:13 p.m.•21 views

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/15 3:39 p.m.•21 views

Activity stream on JAC contains updates from another user

Jira prompted me to change my time zone, and brought me to a profile that seems to be for a completely different user who happens to share my first name and last initial. See attached screen shot. Going directly to https://secretlocation.atlassian.net/secure/ViewProfile.jspa shows me the proper...

1.9AI score
Exploits0
Atlassian
Atlassian
•added 2014/10/14 5:42 p.m.•21 views

Adding Subscription Cal by URL stores user password unencrypted

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48402. panel I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really ...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/01 2:52 p.m.•21 views

Confluence Security Settings not respected by Confluence Questions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47587. panel Hi Atlassian team, in our Confluence configuration we set "User email visibility" to "only visible to site...

1.8AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295