Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2026/04/16 4:38 p.m.20 views

DoS (Denial of Service) brace-expansion Dependency in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center. This DoS Denial of...

9.2CVSS5.6AI score0.00481EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/11 10:29 a.m.20 views

File Inclusion node-tar Dependency in Confluence Data Center

This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2 and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...

8.2CVSS5.9AI score0.00253EPSS
Exploits4
Atlassian
Atlassian
added 2026/04/10 10:29 p.m.20 views

DoS (Denial of Service) axios Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.7AI score0.02591EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

DoS (Denial of Service) valibot Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.1.1, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS5.7AI score0.00289EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

File Inclusion node-tar Dependency in Confluence Data Center

This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...

8.2CVSS7.2AI score0.00334EPSS
Exploits2
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

Path Traversal (Arbitrary Write) node-tar Dependency in Confluence Data Center

This High severity Path Traversal vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L allows a...

8.8CVSS5.8AI score0.00233EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

DOM-based XSS @remix-run/router Dependency in Confluence Data Center

This High severity DOM-based XSS vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A...

8CVSS7.6AI score0.0077EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/06 5:29 a.m.20 views

Path Traversal node-tar Dependency in Jira Service Management Data Center

This High severity Path Traversal vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Service Management Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.8...

8.8CVSS5.8AI score0.00233EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/06 5:28 a.m.20 views

File Inclusion node-tar Dependency in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2...

8.2CVSS5.9AI score0.00334EPSS
Exploits2
Atlassian
Atlassian
added 2026/02/13 11:45 a.m.20 views

CVE-2025-68493 impact on Bamboo

h3. Issue Summary Impact of CVE-2025-68493 in Bamboo https://cwiki.apache.org/confluence/display/WW/S2-069 Parsing of XML configuration in XWork component does not validate XML in proper way and it's vulnerable to XML external entity XXE injection. h3. Steps to Reproduce ||Impact of...

8.1CVSS5.9AI score0.23054EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 5:28 p.m.20 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-25883 was introduced in versions 8.5 of Confluence Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS5.5AI score0.02761EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 4:29 p.m.20 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2020-28469 was introduced in versions 7.19 of Confluence Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS5.5AI score0.04456EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/30 7:27 p.m.20 views

RCE (Remote Code Execution) commons-beanutils Dependency in Crowd Data Center and Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to...

8.8CVSS6.3AI score0.01548EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/20 7:3 a.m.20 views

Injection cipher-base Dependency in Jira Service Management Data Center and Server

This High severity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, 11.1.0, and 11.2.0 of Jira Service Management Data Center and Server. This Injection vulnerability, with a CVSS Score of 7.4 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:Hcode allows...

9.1CVSS5.6AI score0.0047EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/16 6:27 p.m.20 views

XXE (XML External Entity Injection) org.apache.tika:tika-parsers Dependency in Crowd Data Center and Server

This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity XXE XML External Entity Injection vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE XML...

9.8CVSS5.7AI score0.02962EPSS
Exploits4
Atlassian
Atlassian
added 2025/12/19 3:18 p.m.20 views

XXE (XML External Entity Injection) in Crowd Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high...

7.9CVSS5.5AI score0.00297EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.20 views

XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Crowd Data Center and Server

This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity XXE XML External Entity Injection vulnerability was introduced in versions 6.3.0, 6.3.1, 6.3.2, 7.1.0, and 7.1.1 of Crowd Data...

9.8CVSS5.6AI score0.02962EPSS
Exploits4
Atlassian
Atlassian
added 2025/11/14 2:31 a.m.20 views

DoS (Denial of Service) Third-Party Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.0, 11.0.0 and and 11.1.0 of Jira Service Management Data Center and Server. This...

7.5CVSS6.9AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
added 2025/08/18 8:34 a.m.20 views

Third-Party Dependency in Crowd Data Center

Note: Aligning with our security bug fix policy|https://www.atlassian.com/trust/security/bug-fix-policy, this vulnerability has been fixed in our latest release only This Critical severity Third-Party Dependency vulnerability was introduced in version 6.1.1 of Crowd Data Center. This Third-Party...

9.4CVSS4.7AI score0.01735EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/02 4:9 a.m.20 views

MITM (Man-in-the-Middle) org.apache.httpcomponents.client5:httpclient5 Dependency in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.2.4, 9.4.0, and 9.5.1 of Confluence Data Center and Server however LTS version 8.5 is not affected by this CVE. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.8AI score0.00745EPSS
Exploits0
Atlassian
Atlassian
added 2025/06/17 5:8 a.m.20 views

Improper Authorization org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.12.0, 10.3.0, and 10.6.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

7.3CVSS7.3AI score0.02736EPSS
Exploits1
Atlassian
Atlassian
added 2025/06/11 5:8 a.m.20 views

Improper Authorization org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

7.3CVSS7.8AI score0.02736EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/04 9:36 a.m.20 views

Security vulnerability: Poor error handling in project gadget shows stack trace to user

Security vulnerability: Poor error handling in project gadget shows stack trace to user...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/31 4:19 p.m.20 views

Redirect from searchrequest.html page to login screen

h3. Issue Summary Hello team, We would like to open an improvement request to allow the searchrequest.html page to be redirected to the login page if the user is not logged on. This desired behavior is similar to the issue view page, since it automatically redirects you to the login screen if...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/25 4:0 p.m.20 views

JIRA REST API /rest/api/2/user/viewissue/search doesn't respect Security Levels

h3. Issue Summary REST API - rest/api/2/user/viewissue/search Does not respect permissions, doing this REST API both on users who have browse permission and no permissions for a single ticket will result in both users still being able to view the issue. See this documentation for reference -...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2023/10/02 3:11 p.m.20 views

UI Redressing (Clickjacking) with SSO Plugin for Data Center

h3. Problem Related to CONFSERVER-29230 When we enable the SAML login on General Configuration - Authentication, the Confluence login page shows inside an iframe. When disabled it doesn't show as expected with the Clickjacking disabled by default. In the gif attached, replicated the error on our...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/13 1:7 p.m.20 views

Creating tickets via mail adds recipient address to watchers, without necessary permissions

h3. Issue Summary This is reproducible on Data Center: yes h3. Steps to Reproduce create an email channel for Jira with the email address of a user without license in Jira the user should exist in Jira and not have application access configure the mail puller to create tickets for the email sende...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/05/08 2:12 a.m.20 views

Unauthorised users who make multipart requests have this data written to disk momentarily

h3. Issue Summary When a multipart request is made to a Confluence server, the multipart data is usually saved to a temporary directory prior to determining whether a user is authorised to access that URL. This is due to both application and library WebWork/Struts design where permission checks...

7AI score
Exploits0
Atlassian
Atlassian
added 2022/03/16 5:14 a.m.20 views

Admin user can change Base URL without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to change the Base URL of a Jira instance via a Broken Access Control vulnerability in the /rest/api/2/settings/baseUrl endpoint. The affected...

5.7AI score
Exploits0
Atlassian
Atlassian
added 2022/02/15 7:50 p.m.20 views

Denial of service attacks due to use of vulnerable version of apache-commons-compress package

Affected versions of Atlassian Jira Service Server and Data Center allow an unauthenticated attacker to perform a denial of service attack against services that use the apache-commons-compress package. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.6, from versi...

5.7AI score
Exploits0
Atlassian
Atlassian
added 2021/09/29 2:59 p.m.20 views

Replaying / intercepting a password reset POST request can allow for valid username enumeration

h3. Issue Summary Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests. h3. Steps to Reproduce Request a password reset email Open the password reset mail and click the link to open your browser Intercept the POST request of the...

Exploits0
Atlassian
Atlassian
added 2021/04/26 5:57 a.m.20 views

Unauthenticated users can inject messages into the XSRF token error page

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to display arbitrary messages in the application via an injection vulnerability in the XSRF token error page. The affected versions are before version 8.5.14, and from version 8.6.0 before 8.12.1. ...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2021/04/09 3:6 p.m.20 views

Adding an extra forward slash '/' in the download attachment URL results in a stack trace.

h3. Issue Summary Adding an extra forward slash '/' in the download attachment URL results in a stack trace. h3. Steps to Reproduce Append an extra slash to a download attachment URL, similar to this: code:java http://:///download/attachments code h3. Expected Results A 'page not found', 404 or...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2019/08/06 2:4 p.m.20 views

Linking image renders image as HTTP instead of HTTPS

h3. Issue Summary Linking existing image on Confluence page will appear as broken image due to mix content. The request url is rendered with HTTP instead of HTTPS. h3. Steps to Reproduce Create/edit a page. Click + and select Files and images. Attach an image to the page. Click on image and then...

Exploits0
Atlassian
Atlassian
added 2019/04/12 6:34 a.m.20 views

User are receiving mobile notifications of restricted Jira comments that they cannot view when accessing Jira through a browser

Hi Jira Server mobile app beta users, We recently discovered a bug where Jira Server mobile app users receive all comment notifications from Jira issues they’re watching or assigned to, even if the comment had been restricted to exclude them. This means they’ll be able to view the content of...

2.5AI score
Exploits0
Atlassian
Atlassian
added 2018/11/12 5:12 p.m.20 views

Security clean up /plugins/servlet/Wallboard.old 200 response

A low risk Path-Based Vulnerability exists at /plugins/servlet/Wallboard.old. Stylesheets and basic html page load for page that should not exist/deprecated...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/11/07 4:35 p.m.20 views

Setup only possible with sending user statistics

One of our customers reported an error: panel There is a problem with the setup of the new version of SourceTree 3.0.8. In the last screen the preferences are requested. It is not possible to click "Weiter" Continue without checking the second option. !Preferences.png|thumbnail! But this needs to...

2.2AI score
Exploits0
Atlassian
Atlassian
added 2018/06/15 1:10 p.m.20 views

Linux Git Server - Ampersand (&) in tag is not properly handled when closing a branch

I attempted to close a feature branch. I added the tag that included an ampersand CNT-421&CNTUI-123. The tag that was applied to the branch was CNT-421 as the ampersand was not escaped when running the command in Git. The ampersand was treated the same as an ampersand in Bash, which allows the...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2017/09/28 4:21 a.m.20 views

jira xml export does not escape label and component values

searchrequest-sml endpoint html encodes issue description text, but not issue labels or component. This means that other plugins / products relying on this end point for these values are vulnerable to XSS attacks, see linked issue. Please html encode these string values : example...

6.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/08/02 11:27 a.m.20 views

Move sensitive information out of Synchrony JVM arguments

h3. Issue Running Synchrony as a stand-alone service for data center instances exposes sensitive information such as the database username/password, and public/private keys. These are all passed as JVM arguments. This means anyone with command-line access to the server can see this information vi...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2017/04/24 9:51 p.m.20 views

Encrypt password variables in VARIABLE_CONTEXT and VARIABLE_BASELINE_ITEM tables

h3. Problem Definition Currently, Bamboo password variables are not encrypted in the VARIABLECONTEXT and VARIABLEBASELINEITEM tables, even though they are encrypted in VARIABLEDEFINITION h3. Suggested Solution Encrypt passwords in VARIABLECONTEXT and VARIABLEBASELINEITEM tables h3. Workaround...

2AI score
Exploits0
Atlassian
Atlassian
added 2017/01/18 5:47 p.m.20 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/18 5:46 p.m.20 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/09 11:15 p.m.20 views

XSS on Delete Webhook

It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/09 11:11 p.m.20 views

JIRA Server can be DOSed through a specific error page resource.

JIRA had a specific error page resource that when repeatedly accessed could result in more memory being used eventually resulting in java running out of heap space...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/06 11:12 a.m.20 views

Non-admin User Should not be able to see all users/groups in drop down

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Portfolio Server. Using JIRA Portfolio Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JPOCLOUD-1781. panel h3. Summary In Plan configuration Permissions Plan access. Non-admin users can try to add Viewers and see all...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/06 11:12 a.m.20 views

Non-admin User Should not be able to see all users/groups in drop down

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Portfolio Cloud. Using JIRA Portfolio Server? See the corresponding bug report|http://jira.atlassian.com/browse/JPOSERVER-1781. panel h3. Summary In Plan configuration Permissions Plan access. Non-admin users can try to add Viewers and see al...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/12/12 11:54 p.m.20 views

Permission issue when configuring Default Reviewers

Certain permissions relating to Default Reviewers could be circumvented by authenticated users...

3.9AI score
Exploits0
Atlassian
Atlassian
added 2016/07/19 7:11 p.m.20 views

XSS in Mail Whitelist Field

Jira Admins can create a persistant XSS on the Incoming Mail configuration page. When the value code "alert1 code is inserted into the Witelisted Domain field on the page code /secure/admin/IncomingMailServers.jspa code The javascript persists and executes on page load. This was tested on Jira...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/07 9:52 p.m.20 views

XSS in newFileName Field

From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...

6.1AI score
Exploits0
Total number of security vulnerabilities4295