Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2007/05/18 6:7 p.m.20 views

Assign Groups to Project Role screen allows entry of users as groups

When assigning groups to a project role, the screen allows the user to specify a group that is really a user name...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/27 7:41 a.m.20 views

Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date

Similar to JRA-12410 - deleting a custom field does not adequately clean up after itself. Specifically, affected issues are not reindexed so the updated security and permission aspects are not reflected in search results which is a security hole. Note that a naive fix may produce performance...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/21 4:40 a.m.20 views

Deleting a custom field which has an issue security scheme or permission scheme on it causes system error

A custom field with an issue security scheme based on it is deleted. A subsequent search on a issue under this security scheme causes a system error...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/15 10:22 p.m.20 views

Data anonymiser does not blank out SMTP server username and password

SMTP server username and password are readable in database/xml export: This can possible security leak e.g. when you sent support request, where you send database export to support. Anonymizer does not remove these values. ---- Username and password should be encoded format in database...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/15 10:22 p.m.20 views

Data anonymiser does not blank out SMTP server username and password

SMTP server username and password are readable in database/xml export: This can possible security leak e.g. when you sent support request, where you send database export to support. Anonymizer does not remove these values. ---- Username and password should be encoded format in database...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2007/01/10 3:32 a.m.20 views

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

5.9AI score
Exploits0
Atlassian
Atlassian
added 2006/07/28 6:59 a.m.20 views

IP restrictions on admin rights

A security conscience evaluator has requested the option to restrict administration access to a range of / a specific IP address/es...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/04/15 10:2 a.m.20 views

Change a user's password remotely

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-9921. panel I would like to be able to change a user's password remotely. Suggested API and implementation as follows: codevoid...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/11/03 3:17 a.m.20 views

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/11/03 3:17 a.m.20 views

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.20 views

Obscure email addresses in Confluence Mail

Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email address.and other ppl's too. Eeek! We really want to obscure them. And anywhere else they appear in confl... Maybe some funky javascript email encryption ?...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/06/29 10:11 p.m.20 views

Spam-protection

We need something like MT-Blacklist: the ability to define URL patterns that flag a page and/or comment as spam. It shouldn't be too hard to do - we already track URL links. The UI will need some thought though what do you do if you define a URL as spam, and it's in a page? Revert the page back t...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/02/20 2:47 a.m.20 views

When deleting an Issue Security Level issues need to be re-indexed

Create 1 security levels Put some issues into it Delete the level hence removing any security level from the issues You will not be able to find the issues any more - need to re-index...

1.1AI score
Exploits0
Atlassian
Atlassian
added 2002/08/26 1:28 a.m.20 views

Have JIRA delete cookie when user authentication fails

I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/04/16 1:50 p.m.19 views

mXSS (mutation Cross-Site Scripting) dompurify Dependency in Jira Service Management Data Center and Server

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity nesting-based mXSS mutation Cross-Site Scripting vulnerability was introduced in version 10.3.0 of Jira...

10CVSS6.6AI score0.01093EPSS
Exploits2
Atlassian
Atlassian
added 2026/03/12 8:28 p.m.19 views

Path Traversal node-tar Dependency in Jira Software Data Center

This High severity Path Traversal vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.8 and a CVS...

8.8CVSS5.8AI score0.00233EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/06 5:28 a.m.19 views

File Inclusion node-tar Dependency in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

8.2CVSS5.9AI score0.00334EPSS
Exploits2
Atlassian
Atlassian
added 2026/01/16 6:27 p.m.19 views

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2025-66675 was introduced in versions 7.0.2 and 7.1.0 of Crowd Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H allows an...

8.2CVSS5.4AI score0.00517EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/16 7:5 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 5.12.2, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Service Management Data Center and Server. This DoS Denial of Service vulnerability, with a...

7.5CVSS8AI score0.01819EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/14 6:28 p.m.19 views

File Inclusion tar-fs Dependency in Confluence Data Center and Server

This High severity File Inclusion vulnerability known as CVE-2025-59343 was introduced in version 7.19 of Confluence Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N allows an...

8.7CVSS5.6AI score0.00516EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.19 views

XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Bamboo Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in versions 9.6.1, 10.0.0, 10.1.0, 10.2.0, 11.0.0, and 12.0.0-rc3 of Bamboo Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 8.4 and a CVSS Vector of...

9.8CVSS5.6AI score0.02962EPSS
Exploits4
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.19 views

MITM (Man-in-the-Middle) org.postgresql:postgresql Dependency in Confluence Data Center and Server

This High severity MITM Man-in-the-Middle vulnerability was introduced in versions 9.2.8 of Confluence Data Center and Server. This MITM Man-in-the-Middle vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N allows an unauthenticated attacker t...

8.2CVSS7.3AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/10 2:37 a.m.19 views

XXE (XML External Entity Injection) Tika Dependency in Jira Service Management Data Center and Server

This Jira Service Management release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path...

9.8CVSS7AI score0.79807EPSS
Exploits5
Atlassian
Atlassian
added 2025/11/14 6:27 a.m.19 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-45590

This High severity vulnerability known as CVE-2024-45590 was introduced in 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6, 8.19.7, 8.19.8, 8.19.9, 8.19.10, 8.19.11, 8.19.12, 8.19.13, 8.19.14, 8.19.15 of Bitbucket Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CV...

7.5CVSS6.8AI score0.00824EPSS
Exploits1
Atlassian
Atlassian
added 2025/11/14 6:27 a.m.19 views

Command Injection Third-Party Dependency in Bitbucket Data Center and Server - CVE-2021-23337

This High severity vulnerability known as CVE-2021-23337 was introduced in 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6, 8.19.7, 8.19.8, 8.19.9, 8.19.10, 8.19.11, 8.19.12, 8.19.13, 8.19.14, 8.19.15 of Bitbucket Data Center and Server. This vulnerability with a CVSS Score of 7.2 and a CV...

7.2CVSS6.8AI score0.2241EPSS
Exploits3
Atlassian
Atlassian
added 2025/11/13 11:27 p.m.19 views

Improper Authorization Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-41248

This High severity vulnerability known as CVE-2025-41248 was introduced in 10.0.0 of Bitbucket Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Atlassian recommends that Bitbucket Data Center and Server customers...

7.5CVSS6.8AI score0.00433EPSS
Exploits0
Atlassian
Atlassian
added 2025/10/22 7:34 a.m.19 views

Jira issue creation fails due to a problem with security level mapping.

h3. Issue Summary As per the issue-level security configuration|https://confluence.atlassian.com/adminjiraserver103/configuring-issue-level-security-1489807354.html documentation, when setting the default security level for an issue security scheme, if the issue reporter does not have the 'Set...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2025/09/09 2:9 a.m.19 views

RCE (Remote Code Execution) Third-Party Dependency in Confluence Data Center and Server

This high-severity Third-Party Dependency vulnerability was introduced in versions 2.0 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to...

8.8CVSS6.6AI score0.01548EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/14 7:20 a.m.19 views

Analytics Direct‑URL Bypass Ignores Global Analytics Permissions in Confluence Data Center

This ticket requests an LTS 9.2 fix for the issue at https://asecurityteam.atlassian.net/browse/VULN-1552959 . i This ticket doesn't have a due date because backport security fixes are only required for Critical-severity issues. Details: Security Bug Fix...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2025/07/09 4:13 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.3.0 and 10.7.1 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7.2AI score0.54877EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/08 5:9 a.m.19 views

DoS (Denial of Service) Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.4.0, 9.5.0, 9.6.0, 10.0.0, 10.1.0, 10.2.0, and 11.0.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.4AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/05 5:9 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 10.3.0 and 10.7.1 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7.2AI score0.54877EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/31 6:8 a.m.19 views

DoS (Denial of Service) Third-Party Dependency in Crowd Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 6.0.0, 6.1.0, 6.2.0, and 6.3.0 of Crowd Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/02/12 1:56 a.m.19 views

Third-Party Dependency in Bitbucket Data Center

This High severity Third-Party Dependency vulnerability was introduced in version 9.5.0 of Bitbucket Data Center. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no...

7.5CVSS6.7AI score0.00932EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/25 6:11 a.m.19 views

Individual users with System Administrator access under Global Permissions are able to view the names of restricted spaces that they are not permitted to access.

h3. Issue Summary Individual users with System Administrator who can also have both Confluence Administrator and System Administrator access under Global Permissions can view the names of restricted spaces that they are not permitted to access. This is reproducible on Data Center: yes h3. Steps t...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.19 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bamboo Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 9.2.11, 9.4.3, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.8AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/11 10:31 a.m.19 views

Incorrect context paths included in the fallback URL still pass you to the login form when enable-authentication-fallback is enabled.

h3. Issue Summary When using an incorrect fallback URL to bypass SAML, you are still passed to the login form. This can be reproduced using a context path in the URL when no context path is set in the server.xml or by using a misspelled/wrong context path when one is set. This is reproducible on...

7.1AI score
Exploits0
Atlassian
Atlassian
added 2024/06/19 6:15 a.m.19 views

Aggregated ticket for vulnerabilities in: org.owasp.antisamy:antisamy

Aggregation of vulnerabilities related to library: org.owasp.antisamy:antisamy Individual Confserver tickets are linked via Issue Links and should be addressed case-by-case. This ticket is created automatically. Do not close this ticket until all linked issues are resolved...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2023/10/06 9:45 a.m.19 views

Scripts failing intermittently due to permissions denied (401) exception while using PAT

h3. Issue Summary This is reproducible on the Data Center: Yes h3. Steps to Reproduce Create two Jira users: UserA and UserB and two Projects: ProjectA and ProjectB. Restrict access to ProjectA for UserA, and ProjectB for UserB. Create one issue each on ProjectA and ProjectB. Use the below python...

7.4AI score
Exploits0
Atlassian
Atlassian
added 2023/09/11 7:59 a.m.19 views

websudo does not work for space admins in Confluence version 8.5.1

h3. Issue Summary This is reproducible on the Data Center: yes Issue happens only on 8.5.1 and works fine on 8.5.0 h3. Steps to Reproduce 1. Install Confluence Data Center 8.5.1 2. Create a Confluence test user with can use permissions in Global permissions 3. Assign all the space permissions in ...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2022/03/07 8:14 a.m.19 views

Update atlassian-gadgets to 4.2.41 to fix information leak

The atlassian-gadgets library bundled in Fisheye allowed information leak about installed plugins to anonymous users...

6.7AI score
Exploits0
Atlassian
Atlassian
added 2020/08/03 10:42 p.m.19 views

Unvalidated redirects in UPM via reverse tabnapping

Affected versions of Atlassian Jira Server and Data Center allow an authenticated attacker to redirect a user to a malicious website via an unvalidated redirect vulnerability in some Universal Plugin Manager pages, e.g. "Manage apps" and "Find new apps". Affected versions: version 7.13.16 7.14.0 ...

5.6AI score
Exploits0
Atlassian
Atlassian
added 2020/07/28 6:27 p.m.19 views

Improve error handling in commits page and REST endpoint

Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below. !screenshot-1.png|thumbnail! This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2020/04/28 10:22 a.m.19 views

Filter for custom field values shows all options from all contexts

h3. Summary If a custom field is added to a Portfolio plan, the Portfolio filter will show all options from all contexts configured in the custom field in Jira. h3. Steps to Reproduce Create a custom field with multiple contexts and values across contexts. Assign different projects to separate...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/10/23 12:40 p.m.19 views

XSS Vulnerability in JIRA Issue Export

A search endpoint is vulnerable to an XSS injection in certain cases. Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. see http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2017/05/18 11:11 a.m.19 views

Best Practices for Configuring JIRA Security

h5. Issue Summary Can a documentation containing a collection of best practices for securing a JIRA instance be created similar to this one|https://confluence.atlassian.com/doc/best-practices-for-configuring-confluence-security-216433533.html/?ga=2.68524696.801198909.1495105182-524443449.14914597...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/18 5:51 p.m.19 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/17 4:45 a.m.19 views

Shell Injection in SourceTree for Mac

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 the fixed version. By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection...

3.7AI score
Exploits0
Atlassian
Atlassian
added 2017/01/09 11:15 p.m.19 views

XSS on Delete Webhook

It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/09 11:11 p.m.19 views

JIRA Server can be DOSed through a specific error page resource.

JIRA had a specific error page resource that when repeatedly accessed could result in more memory being used eventually resulting in java running out of heap space...

0.9AI score
Exploits0
Total number of security vulnerabilities4295