Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2018/02/07 10:17 p.m.119 views

The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability XSS. See https://ecosystem.atlassian.net/browse/UPM-5871 for more details...

5.4CVSS1.5AI score0.00591EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/01 5:16 p.m.118 views

Access to all question drafts in private spaces via API

h3. Issue Summary Questions leak information through private space https://asecurityteam.atlassian.net/browse/BOUNTY-2559 h3. Steps to Reproduce Access to questions in spaces is limited to those users that have access to the space. However, question drafts in a restricted space can be accessed by...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/23 8:19 a.m.118 views

JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone

h3. Summary JIRA Anonymous User Is Able To Search For Creator Name Via JQL Search Screen|http://localhost:8080/issues/?jql= By Insert Full User Name Even When Browse User Global Permission Doesn't Allow "Anyone". This is definitely not an expected behavior if "Browse User" wasn't set to anyone...

Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/05 2:12 p.m.118 views

Oracle Security Patched DB Driver Not Working

+Issue Summary+ Following a recent security patch by Oracle for the ojdbc6.jar driver as fix for CVE-2016-3506. p23727132112040Generic.zip, available in Oracle Support download area, applying the patch to Confluence breaks Confluence with Confluence throwing: code Caused by: java.sql.SQLException...

8.1CVSS1.4AI score0.03542EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/19 6:43 a.m.118 views

Denial of Service attack through vulnerable Xerces-J library

quote There is WebDav endpoint that is accessible via following URL - https://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for PROPFIND request. Following python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002...

7.1CVSS1AI score0.24738EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/22 9:11 p.m.117 views

Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2021-25329|https://nvd.nist.gov/vuln/detail/CVE-2021-25329 and CVE-2021-25122|https://nvd.nist.gov/vuln/detail/CVE-2021-25122. The affected versions are before version 8.17.0. ...

7.5CVSS5.3AI score0.18114EPSS
Exploits15Affected Software1
Atlassian
Atlassian
added 2021/03/31 6:19 a.m.115 views

Information Disclosure using JQL function membersOf - CVE-2020-36286

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly...

5.3CVSS3.9AI score0.0141EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/02 1:51 a.m.115 views

XSS via project configuration - CVE-2019-20416

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the project configuration feature. Affected versions: version 8.3.0 Fixed versions: 8.3.0...

4.8CVSS5.5AI score0.0059EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:10 a.m.115 views

XSS in the IncomingMailServers resource through the messagesThreshold parameter - CVE-2017-18039

The IncomingMailServers resource in Atlassian JIRA from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the messagesThreshold parameter...

6.1CVSS5.7AI score0.0145EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/11/29 3:22 p.m.114 views

Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary Unauthorized access to data from the following API even if the public.access.disabled is enabled. /rest/api/2/projectCategory /rest/api/2/resolution /rest/menu/latest/admin h3. Steps to Reproduce - Install Jira 8.13.9 with H2 database - Create a project and some Project categori...

5.3CVSS1.3AI score0.76042EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/10/14 3:41 a.m.114 views

Unauthenticated user can Enumerate Issue Keys - CVE-2020-14185

Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2. Affected...

5.3CVSS5.8AI score0.02508EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/09 1:22 a.m.114 views

Template injection in Jira importers plugin - CVE-2019-15001

h3. Issue Summary There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin JIM. An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on...

9CVSS3AI score0.11366EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.114 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/19 11:32 p.m.113 views

XSS in XML export view - CVE-2020-4021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the XML export view. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.5 8.6.0 ≤ version 8.8.1 Fixed versions: 7.13.16 8.5....

5.4CVSS5.6AI score0.01003EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:6 a.m.113 views

Improper authentication on Convert Sub-Task to Issue page - CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names Project Key, if it is part of the workflow name Issue Keys Issue Types Status...

5.3CVSS6.3AI score0.01883EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/05 2:12 p.m.112 views

Oracle Security Patched DB Driver Not Working

+Issue Summary+ Following a recent security patch by Oracle for the ojdbc6.jar driver as fix for CVE-2016-3506. p23727132112040Generic.zip, available in Oracle Support download area, applying the patch to Confluence breaks Confluence with Confluence throwing: code Caused by: java.sql.SQLException...

8.1CVSS1.4AI score0.03542EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/20 8:22 a.m.112 views

Upgrade commons-fileupload to version >= 1.3.2

This is to mitigate CVE-2016-3092 See https://vulners.com/cve/CVE-2016-3092 for details...

7.8CVSS7.8AI score0.35927EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/20 6:2 a.m.111 views

Improper authorization on /rest/project-templates/1.0/createshared endpoint - CVE-2020-4029

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project names via an improper authorization vulnerability in the /rest/project-templates/1.0/createshared endpoint API endpoint. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 8.8.0 ≤ version...

4.3CVSS7.8AI score0.01448EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:20 a.m.111 views

Information Disclosure in comment restriction feature - CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. Affected versions: version 7.6.17 7.7.0 ≤ version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.6.17...

6.5CVSS5.7AI score0.01864EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:59 a.m.111 views

CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port port 5466...

9.8CVSS4.6AI score0.02976EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/14 11:35 a.m.110 views

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

h3. Issue Summary The recently disclosed vulnerability regarding Apache Tomcat CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037, CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037 Base Score: 5.3 MEDIUM CVE-2021-42340|https://vulners.com/cve/CVE-2021-42340 NVD score not yet...

7.5CVSS6.5AI score0.75353EPSS
Exploits16Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.110 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Confluence before version 6.13.6, from version 6.14.0 before version 6.15.5, and from version 7.0.0 before 7.0.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See...

4.3CVSS2.3AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/09 2:59 a.m.110 views

Git downloads over HTTP

SourceTree downloads the standalone Git and every other zips over HTTP from the Atlassian servers. This is not secure and should be switched to HTTPS...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/27 3:55 a.m.109 views

RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114

A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6,...

8.8CVSS6.2AI score0.01657EPSS
Exploits0
Atlassian
Atlassian
added 2020/09/16 3:8 a.m.109 views

User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies. The...

5.3CVSS3.6AI score0.99209EPSS
Exploits1
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.109 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/09/03 4:6 p.m.108 views

org.springframework:spring-web used by Jira 9 contains vulnerabilities

Jira 9 and possibly the upcoming Jira 10 are affected by CVE-2024-38808. https://spring.io/security/cve-2024-38808 https://asecurityteam.atlassian.net/browse/VULN-1409329...

4.3CVSS6.7AI score0.00536EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/07 7:28 a.m.108 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 5.6 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely...

7.6AI score
Exploits0
Atlassian
Atlassian
added 2023/02/03 5:50 a.m.108 views

Information Disclosure via QueryCompenentRenderer API

Affected versions of Atlassian Jira Server and Data Centre allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information via Information Disclosure Vulnerability via "/secure/QueryComponentRendererValue!Default.jspa" endpoint. Affected versions: version 9.5.1 Fixed...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2021/11/02 11:0 p.m.108 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bamboo) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bamboo where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or cod...

8.3CVSS3.4AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/06/30 3:9 a.m.108 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS2.3AI score0.48883EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:45 p.m.108 views

Update application links to 5.4.23 to fix CVE-2020-5398

Affected versions of Atlassian FishEye and Crucible allow remote attackers to view sensitive information via an Information Disclosure vulnerability in a vulnerable version of the Application Links component. The affected versions are before version 4.8.6. Affected versions: version 4.8.6 Fixed...

8CVSS5AI score0.88077EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2020/06/19 1:56 a.m.108 views

SSRF in Dashboard & Gadgets - CVE-2019-20408

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF vulnerability due to a logic bug in the JiraWhitelist class. As an example to indicate impact, when...

5.3CVSS4.8AI score0.00998EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/12 6:53 a.m.108 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluen...

7.5CVSS0.9AI score0.03743EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/07 12:32 a.m.108 views

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

8.8CVSS1.8AI score0.00666EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/19 9:30 a.m.108 views

Upgrade bundled Tomcat to the latest minor release

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-33563. panel Customer did a Security Scan on the instance and founded the version 5.1.8 that he is using subjected to security vulnerabilitie...

5CVSS7.2AI score0.11975EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:53 p.m.107 views

Stored XSS via Custom Fields on Screens Modal - CVE-2020-36234

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14...

4.8CVSS4.4AI score0.01015EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/15 3:29 p.m.107 views

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2019-12418|https://vulners.com/cve/CVE-2019-12418 CVE-2019-17563|https://vulners.com/cve/CVE-2019-17563 Which affects the following versions: Apache Tomcat 8.x from 8.5.0 before 8.5.50 We should bundle a more...

7.5CVSS8AI score0.10687EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.108 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Fisheye before version 4.7.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS2.9AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:43 a.m.107 views

XSS in review dashboard through a custom filter title - CVE-2017-9507

The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the review filter title parameter...

5.4CVSS4.1AI score0.00818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/13 4:43 a.m.107 views

Multiple Vulnerabilities in JIRA Workflow Servlet

||Affected Versions|| |4.2.4 = version 6.3.0| An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way...

9.8CVSS4.6AI score0.16239EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/08/01 4:1 a.m.106 views

Macro browser breaks https secure connection

h3. Issue Summary Macro browser loads http insecure resources including a data:image/png and a testing mocking resource http://example.com/bla-bla-bla h3. Environment Optional - If Applicable h3. Steps to Reproduce Create a page Open macro browser h3. Expected Results Connection remains secure h3...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/18 1:28 a.m.106 views

Bitbucket Data Center - Path traversal in the migration tool leads to RCE - CVE-2019-3397

h3. Issue Summary Bitbucket Data Center had a path traversal vulnerability in the Data Center migration tool. A remote attacker with authenticated user with admin permissions can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code executio...

9.1CVSS1.4AI score0.05057EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/03/02 6:55 p.m.106 views

Stored XSS in Confluence / Links in Code Block

This is reported from bugcrowd: publish code block with content single quotes included: 'https://w3.org/"style="width:100%;height:100%;position:fixed;left:0;top:0"onmousemove=alert1//' That should work both in comment and article sections...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/05/17 6:46 a.m.105 views

Upgrade spring-core for CVE-2023-20860

h3. Issue Summary Bitbucket Server/DC includes the following two libraries, which may be vulnerable to CVE-2023-20860|https://vulners.com/cve/CVE-2023-20860: /app/WEB-INF/lib/spring-core-5.3.23.jar /opensearch/plugins/opensearch-sql/spring-core-5.3.22.jar Bitbucket isn't known to be vulnerable, b...

7.5CVSS6.7AI score0.03514EPSS
Exploits1
Atlassian
Atlassian
added 2016/07/07 4:22 a.m.105 views

CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent. Affected versions: All versions of Bamboo...

9.8CVSS3.9AI score0.0709EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/12 4:26 a.m.105 views

CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface...

8.8CVSS4.4AI score0.03618EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 4:9 a.m.104 views

XSS in the MigratePriorityScheme resource - CVE-2019-11584

The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the priority icon url of an issue priority...

6.1CVSS4.3AI score0.0097EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/19 6:43 a.m.104 views

Denial of Service attack through vulnerable Xerces-J library

quote There is WebDav endpoint that is accessible via following URL - https://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for PROPFIND request. Following python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002...

7.1CVSS1AI score0.24738EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/01/11 12:37 p.m.103 views

[BUG] Unauthenticated issues enumeration through API

I detected that in JIRA onprem with API REST exposed an attacker that knows or discover the name of a project can enumerate the issues that exists related to the project. All of this without logged in on JIRA or any credentials. The response of the server changes when the issue exists on the...

0.8AI score
Exploits0
Total number of security vulnerabilities4295