Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2025/07/05 5:9 a.m.21 views

MITM (Man-in-the-Middle) org.apache.httpcomponents.client5:httpclient5 Dependency in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.12.23, 10.3.7, 10.5.1, 10.6.0, and 10.7.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.00745EPSS
Exploits0
Atlassian
Atlassian
added 2025/05/20 8:8 p.m.21 views

DoS (Denial of Service) Third-Party Dependency in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.12.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, and 10.6.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/05/14 5:8 a.m.21 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/05/13 2:4 a.m.21 views

DoS (Denial of Service) io.netty:netty-handler Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.11.3, 5.12.0, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS...

7.5CVSS7.3AI score0.02112EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/11 11:25 p.m.21 views

DoS (Denial of Service) com.google.protobuf:protobuf-java Dependency in Bamboo Data Center and Server

This High severity com.google.protobuf:protobuf-java Dependency vulnerability was introduced in versions 9.5.0, 9.6.0, and 10.0.0-rc3 of Bamboo Data Center and Server. This com.google.protobuf:protobuf-java Dependency vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...

8.7CVSS6.6AI score0.02772EPSS
Exploits1
Atlassian
Atlassian
added 2025/01/29 10:15 a.m.21 views

RCE (Remote Code Execution) org.apache.avro:avro Dependency in Bitbucket Data Center and Server

This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, and 9.2.0 of Bitbucket Data Center and Server. This org.apache.avro:avro Dependency...

9.2CVSS7.4AI score0.03278EPSS
Exploits0
Atlassian
Atlassian
added 2025/01/22 2:24 p.m.21 views

When using an Oracle DB, application properties can't be set to empty

h3. Issue Summary The jira.security.csp.sandbox.included.content.disposition application property accepts: Empty value "attachment" "inline" "attachment;inline" or "inline;attachment" If Jira is installed using an Oracle database, the empty value is never set. This happens because Oracle treats...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2025/01/22 12:12 p.m.21 views

Able to attach restricted files to Jira issues from Email

h3. Issue Summary From 9.15, admins can now restrict unwanted file extensions from being uploaded through issues. However, the restriction does not work when the attachment is sent via email. The files with restricted extensions are being uploaded to Jira issues. Reference:Restrict unwanted file...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/11/21 10:54 p.m.21 views

org.apache.commons:commons-compress Dependency in Bamboo Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector o...

8.1CVSS6.7AI score0.00441EPSS
Exploits0
Atlassian
Atlassian
added 2023/12/12 3:19 p.m.21 views

atl_token parameter visible from the URL

h3. Issue Summary This is reproducible on Data Center: yes h3. Steps to Reproduce Login to Bamboo Create plans and generate report Application sends a token through the URL itself. h3. Expected Results Application should not send atltoken parameter in URL h3. Actual Results application sends a...

6.9AI score
Exploits0
Atlassian
Atlassian
added 2023/12/12 9:48 a.m.21 views

Attachments download link still works even after deleting attachment from page

h3. Issue Summary The attachment download link still works even after deleting the attachment from the page. h3. Steps to Reproduce Create a Page and add any attachments to the page Click on the attachment and download the attachment using the download button Now, right-click on the download butt...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/18 8:55 a.m.21 views

As a sys admin user without permissions to view a restricted space, I can see activity for it but cannot view the space or pages in it

h3. Issue Summary This is reproducible on Data Center: YES. h3. Steps to Reproduce h4. Steps on Bulldog: Sign in as a user with all of these permissions: Can Use, Personal Space, Create Spaces, Confluence Administrator optional, System Administrator. Note that this use should not be present in th...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/08/10 8:10 p.m.21 views

Team Calendars is not loading Jira Agile Sprint Events

h3. Issue Summary Team Calendars is not loading Jira Agile Sprint Events This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 8.4.0 and Jira 9.9.1 Set up application link and sample Jira project Add Jira Agile Event h3. Expected Results Expect Jira Agile Events to...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2022/11/02 9:35 a.m.22 views

When setting a customer account's password, the potentially different&existing logged in user/session will be used in audit log to record the password change, causing confusion and making it look like a password hijack

h1. Steps to reproduce Consider the following scenario: User A: Invite is sent to [email protected] to join the JSM customer portal. User B is a customer and it is logged into customer portal as [email protected]. In the same browser where User B is logged in, the mailbox of [email protected] is open and ...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/10/19 1:22 p.m.21 views

Attachments that are added to drafts while collaborative editing is off are searchable when collaborative editing is turned on

h3. Issue Summary This is reproducible on Data Center: yes h3. Steps to Reproduce Turn OFF collaborative editing Create a page Add attachment to the page Do not publish the page Try searching for the draft or attachment Enable Collaborative Editing Perform Reindexing Try searching for the draft o...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/29 9:23 a.m.21 views

Audit Logs Store LDAP Password in Plain Text

h3. Problem In Confluence, when an external LDAP directory is created/modified, Audit logs store the LDAP connection password as plain text. h3. Environment 7.4.x . h3. Steps to Reproduce 1. In Confluence, create or modify a directory as Microsoft Active Directory, Crowd, Jira etc 2. After...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/06/14 8:11 p.m.21 views

Upgrade bundled Java to 8u292+

Currently our latest available Jira version includes AdoptOpenJDK 1.8.0275, which does not include a fix for the following vulnerabilities: https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20 It affects AdoptOpenJDK up to 1.8.0282, so we should bundle Jira with AdoptOpenJDK 1.8.02...

2.7AI score
Exploits0
Atlassian
Atlassian
added 2020/07/03 10:15 a.m.21 views

Anonymous user able to access some agile board's report configuration

h3. Issue Summary When someone who did not login to Jira tried to access direct URL to Average Age Report, the user will be shown Configure - Average Age Report page instead of Jira asking the user to login. h3. Steps to Reproduce Copy the full URL to an Average Age Report Eg:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/18 2:26 p.m.21 views

Comment button visible to users without permission on boards

h3. Issue Summary When a project's permissions are set to allow viewing by any logged in user, but commenting is limited to specific project roles, if a user attempts to comment from a board, the button is available to them and they see the following error message: panel:bgColor=eeeeee...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.21 views

https://jira.atlassian.com/browse/JRASERVER-70409 for Bitbucket Server

The version of the Application Links plugin used in Bitbucket Server and Bitbucket Data Center before version 5.16.6, from version 6.0.0 before version 6.0.6, from version 6.1.0 before version 6.1.5, from version 6.2.0 before version 6.2.2, and from version 6.3.0 before version 6.3.1 allows remot...

2.6AI score
Exploits0
Atlassian
Atlassian
added 2019/03/21 12:46 a.m.21 views

The version of moment.js used in Jira was vulnerable to a regular expression denial of service

The version of moment.js used in in Jira before version 7.12.3, from version 7.13.0 before version 7.13.1 and before version 8.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...

4.5AI score
Exploits0
Atlassian
Atlassian
added 2019/03/13 12:45 p.m.21 views

Embedded 7z vulnerable with a cvs score of 10

The embedded 7zip version is vulnerable. Please update...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2017/12/01 4:16 p.m.21 views

Users with 'Plan Admin' privileges can change Project Name

h3. Summary Users whom have Plan level Admin privileges, but not Project level Admin privileges are able to change the Project name from /chain/admin/config/editChainDetails.action?buildKey=\projkey-\plankey h3. Steps to Reproduce h1. Step 1 Create Project with key TSTPR Create Plan within TSTPR...

3.6AI score
Exploits0
Atlassian
Atlassian
added 2017/05/25 3:47 p.m.21 views

Password Reset

I changed my password on my Linux system and now I can't push/pull via Atlassian SourceTree 2.0.20.1 gui. I tried resetting via the authentication tab under Tools-Options but the password is not being saved. I can use git via command line via Terminal because I am prompted for a password. I...

4AI score
Exploits0
Atlassian
Atlassian
added 2017/02/21 1:8 a.m.21 views

Administrators should have the ability to restrict access to the System dashboard

Administrators should have the ability to restrict access to the System dashboard which by default is available to the public...

4.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/19 9:28 a.m.21 views

Update application-links to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2017/01/19 9:28 a.m.21 views

Update application-links to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/18 5:47 p.m.21 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0
Atlassian
Atlassian
added 2017/01/18 5:47 p.m.21 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/17 11:37 p.m.21 views

hipchat server not supporting SSL Forward Secrecy

Security scans report that hipchat server isn't supporting SSL Forward Secrecy. HipChat Server supports TLSRSAWITHAES128CBCSHA256 which isn't forward secret. This is commonly supported for backwards compatibility, but, it is most likely not necessary on most platforms these days. Please consider...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/11/28 3:58 a.m.21 views

Update atlassian-gadgets in JIRA Server to fix AG-1502

Now that https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets to a version that contains a fix for it. In this case JIRA Server would update atlassian-gadgets to a version = 4.2.14...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/11/09 11:9 a.m.21 views

User Management - Space View and Edit Control

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-45194. panel With our Confluence users linking to LDAP, it is difficult having to create and delete groups to control permission...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/11/03 6:49 p.m.21 views

"Allowed review participants" isn't restricting the scope for groups

h3. Summary The "Allowed review participants" option in the project settings isn't restricting the scope for groups when searching for reviewers to be added to a review, therefore all the groups are listed, even the ones not included as allowed groups. h3. Environment Tested on Crucible 4.2.0 h3...

2.5AI score
Exploits0
Atlassian
Atlassian
added 2016/05/31 3:21 a.m.21 views

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

1.1AI score
Exploits0
Atlassian
Atlassian
added 2016/05/03 5:12 p.m.21 views

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/03/02 3:36 p.m.21 views

Responses with Set-Cookie header cached

h3. Context We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get the Crowd...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/03/01 11:1 a.m.21 views

As an administrator I want to be able to configure whether XSS protection should apply to requirements or not

h3. Problem Definition For XSS protection, certain "dangerous" characters are not allowed for input in many fields in Bamboo, including for requirements. One such character is the ampersand &, which can be used for logical AND expressions such as "a && b" for "a AND b". At the moment, because XSS...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/07 11:34 a.m.21 views

Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances

Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/07 11:30 a.m.21 views

Stronger algorithm used to digest instance admin password

Let's use PKCS5S2...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2016/01/07 11:29 a.m.21 views

Stronger algorithm used to digest instance admin password

Let's use PKCS5S2...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2015/12/22 10:57 a.m.21 views

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/12/04 6:16 a.m.21 views

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/12/01 10:54 a.m.21 views

It is possible to access the list of patches in a review and their content by unprivileged users

We've discovered and fixed a security issue, where the attacker could using the REST API: access the list of patches in a review their filename, database id upload date and anchor details without authentication access the patch content for any review as long as he had view access to any other...

4.9AI score
Exploits0
Atlassian
Atlassian
added 2015/10/27 2:47 a.m.21 views

XSRF check failure when trying to add a logo to a topic

h3. Steps to reproduce Create a topic in Confluence Questions. Select an image as a logo. Click Done. h3. Expected results The topic is created with the chosen logo. h3. Actual results The topic is created, but with the default tag logo. h3. Notes The same thing occurs when trying to add a logo t...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/21 5:33 p.m.21 views

Bad performance noticed on issues with long history

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-45903. panel Performing some testing with JIRA 6.4.5, I've noticed that there is a huge difference when logging work on an issue with no...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/01 8:59 a.m.21 views

Prevent Activity feed information leakage by allowing permanently disabling of it

It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances, internal and external, which are connected one to another. Having them connected is clearly a business requirement for being able to cross link issues and to copy them...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/05 2:47 a.m.21 views

Use integrated Windows Auth for Proxy Authentication

Hi, I'm looking to secure access to the internet via an authenticated proxy and would like to avoid username passwords within init strings. https://confluence.atlassian.com/display/JIRAKB/How+to+Configure+an+Outbound+HTTP+and+HTTPS+Proxy+for+JIRA describes a scenario where this may be possible,...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/05 2:47 a.m.21 views

Use integrated Windows Auth for Proxy Authentication

Hi, I'm looking to secure access to the internet via an authenticated proxy and would like to avoid username passwords within init strings. https://confluence.atlassian.com/display/JIRAKB/How+to+Configure+an+Outbound+HTTP+and+HTTPS+Proxy+for+JIRA describes a scenario where this may be possible,...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2015/06/18 10:7 p.m.21 views

Content Spoofing in AppPortalPage

A third party scan found that the ConvertIssue.jspa action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users. How to reproduce:...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2015/06/08 11:4 a.m.21 views

"JIRA Project Releases" event should respect Project's permissions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48963. panel Adding "JIRA Project Releases" event type to the Team calendar seems to NOT respect permissions from the project. I...

0.9AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295