Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2026/01/16 7:5 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 5.12.2, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Service Management Data Center and Server. This DoS Denial of Service vulnerability, with a...

7.5CVSS8AI score0.01819EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/14 6:28 p.m.19 views

File Inclusion tar-fs Dependency in Confluence Data Center and Server

This High severity File Inclusion vulnerability known as CVE-2025-59343 was introduced in version 7.19 of Confluence Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N allows an...

8.7CVSS5.6AI score0.00516EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.19 views

XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Bamboo Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in versions 9.6.1, 10.0.0, 10.1.0, 10.2.0, 11.0.0, and 12.0.0-rc3 of Bamboo Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 8.4 and a CVSS Vector of...

9.8CVSS5.6AI score0.02962EPSS
Exploits4
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.19 views

Injection in Crowd Data Center and Server

This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Injection vulnerability known as CVE-2025-9288 was introduced in versions 2.2.6, 2.4.11, 6.2.4, 6.3.0, and 7.1.0 of Crowd Da...

9.1CVSS5.6AI score0.00651EPSS
Exploits2
Atlassian
Atlassian
added 2025/12/10 2:37 a.m.19 views

XXE (XML External Entity Injection) Tika Dependency in Jira Service Management Data Center and Server

This Jira Service Management release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path...

9.8CVSS7AI score0.79807EPSS
Exploits5
Atlassian
Atlassian
added 2025/10/22 7:34 a.m.19 views

Jira issue creation fails due to a problem with security level mapping.

h3. Issue Summary As per the issue-level security configuration|https://confluence.atlassian.com/adminjiraserver103/configuring-issue-level-security-1489807354.html documentation, when setting the default security level for an issue security scheme, if the issue reporter does not have the 'Set...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2025/09/09 2:9 a.m.19 views

RCE (Remote Code Execution) Third-Party Dependency in Confluence Data Center and Server

This high-severity Third-Party Dependency vulnerability was introduced in versions 2.0 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to...

8.8CVSS6.6AI score0.01548EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/14 7:20 a.m.19 views

Analytics Direct‑URL Bypass Ignores Global Analytics Permissions in Confluence Data Center

This ticket requests an LTS 9.2 fix for the issue at https://asecurityteam.atlassian.net/browse/VULN-1552959 . i This ticket doesn't have a due date because backport security fixes are only required for Critical-severity issues. Details: Security Bug Fix...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2025/07/09 4:13 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.3.0 and 10.7.1 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7.2AI score0.54877EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/08 5:9 a.m.19 views

DoS (Denial of Service) Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.4.0, 9.5.0, 9.6.0, 10.0.0, 10.1.0, 10.2.0, and 11.0.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.4AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
added 2025/07/05 5:9 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 10.3.0 and 10.7.1 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7.2AI score0.54877EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/31 6:8 a.m.19 views

DoS (Denial of Service) Third-Party Dependency in Crowd Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 6.0.0, 6.1.0, 6.2.0, and 6.3.0 of Crowd Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/02/12 1:56 a.m.19 views

Third-Party Dependency in Bitbucket Data Center

This High severity Third-Party Dependency vulnerability was introduced in version 9.5.0 of Bitbucket Data Center. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no...

7.5CVSS6.7AI score0.00932EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/25 6:11 a.m.19 views

Individual users with System Administrator access under Global Permissions are able to view the names of restricted spaces that they are not permitted to access.

h3. Issue Summary Individual users with System Administrator who can also have both Confluence Administrator and System Administrator access under Global Permissions can view the names of restricted spaces that they are not permitted to access. This is reproducible on Data Center: yes h3. Steps t...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.19 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bamboo Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 9.2.11, 9.4.3, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.8AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/11 10:31 a.m.19 views

Incorrect context paths included in the fallback URL still pass you to the login form when enable-authentication-fallback is enabled.

h3. Issue Summary When using an incorrect fallback URL to bypass SAML, you are still passed to the login form. This can be reproduced using a context path in the URL when no context path is set in the server.xml or by using a misspelled/wrong context path when one is set. This is reproducible on...

7.1AI score
Exploits0
Atlassian
Atlassian
added 2024/06/19 6:15 a.m.19 views

Aggregated ticket for vulnerabilities in: org.owasp.antisamy:antisamy

Aggregation of vulnerabilities related to library: org.owasp.antisamy:antisamy Individual Confserver tickets are linked via Issue Links and should be addressed case-by-case. This ticket is created automatically. Do not close this ticket until all linked issues are resolved...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2023/10/06 9:45 a.m.19 views

Scripts failing intermittently due to permissions denied (401) exception while using PAT

h3. Issue Summary This is reproducible on the Data Center: Yes h3. Steps to Reproduce Create two Jira users: UserA and UserB and two Projects: ProjectA and ProjectB. Restrict access to ProjectA for UserA, and ProjectB for UserB. Create one issue each on ProjectA and ProjectB. Use the below python...

7.4AI score
Exploits0
Atlassian
Atlassian
added 2023/09/11 7:59 a.m.19 views

websudo does not work for space admins in Confluence version 8.5.1

h3. Issue Summary This is reproducible on the Data Center: yes Issue happens only on 8.5.1 and works fine on 8.5.0 h3. Steps to Reproduce 1. Install Confluence Data Center 8.5.1 2. Create a Confluence test user with can use permissions in Global permissions 3. Assign all the space permissions in ...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2022/03/07 8:14 a.m.19 views

Update atlassian-gadgets to 4.2.41 to fix information leak

The atlassian-gadgets library bundled in Fisheye allowed information leak about installed plugins to anonymous users...

6.7AI score
Exploits0
Atlassian
Atlassian
added 2020/08/03 10:42 p.m.19 views

Unvalidated redirects in UPM via reverse tabnapping

Affected versions of Atlassian Jira Server and Data Center allow an authenticated attacker to redirect a user to a malicious website via an unvalidated redirect vulnerability in some Universal Plugin Manager pages, e.g. "Manage apps" and "Find new apps". Affected versions: version 7.13.16 7.14.0 ...

5.6AI score
Exploits0
Atlassian
Atlassian
added 2020/07/28 6:27 p.m.19 views

Improve error handling in commits page and REST endpoint

Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below. !screenshot-1.png|thumbnail! This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2020/04/28 10:22 a.m.19 views

Filter for custom field values shows all options from all contexts

h3. Summary If a custom field is added to a Portfolio plan, the Portfolio filter will show all options from all contexts configured in the custom field in Jira. h3. Steps to Reproduce Create a custom field with multiple contexts and values across contexts. Assign different projects to separate...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/10/23 12:40 p.m.19 views

XSS Vulnerability in JIRA Issue Export

A search endpoint is vulnerable to an XSS injection in certain cases. Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. see http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2017/05/18 11:11 a.m.19 views

Best Practices for Configuring JIRA Security

h5. Issue Summary Can a documentation containing a collection of best practices for securing a JIRA instance be created similar to this one|https://confluence.atlassian.com/doc/best-practices-for-configuring-confluence-security-216433533.html/?ga=2.68524696.801198909.1495105182-524443449.14914597...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/18 5:51 p.m.19 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/17 4:45 a.m.19 views

Shell Injection in SourceTree for Mac

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 the fixed version. By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection...

3.7AI score
Exploits0
Atlassian
Atlassian
added 2017/01/09 11:11 p.m.19 views

JIRA Server can be DOSed through a specific error page resource.

JIRA had a specific error page resource that when repeatedly accessed could result in more memory being used eventually resulting in java running out of heap space...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2016/11/28 4:10 a.m.19 views

Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-45392. panel For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets t...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/11/28 3:58 a.m.19 views

Update atlassian-gadgets in JIRA Server to fix AG-1502

Now that https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets to a version that contains a fix for it. In this case JIRA Server would update atlassian-gadgets to a version = 4.2.14...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2016/11/03 6:49 p.m.19 views

"Allowed review participants" isn't restricting the scope for groups

h3. Summary The "Allowed review participants" option in the project settings isn't restricting the scope for groups when searching for reviewers to be added to a review, therefore all the groups are listed, even the ones not included as allowed groups. h3. Environment Tested on Crucible 4.2.0 h3...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/11/02 7:29 a.m.19 views

SECURITY: Update application-links in JIRA Server to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case JIRA server would update application-links from version 5.2.3 to version 5.2.4...

2AI score
Exploits0
Atlassian
Atlassian
added 2016/08/10 5:55 p.m.19 views

Secure SSL flag does not work when using Delegated LDAP

h3. Summary The Secure SSL flag under the Advanced Settings section in the LDAP settings does not work when using Delegated LDAP/Internal with LDAP Authentication in JIRA. h3. Steps to Reproduce Add a Delegated LDAP AD in JIRA Checking the Secure SSL checkbox and hit the Save and Test button if w...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/06/24 8:41 p.m.19 views

When JIRA project has a security scheme, the option "None" is not displayed in Crucible

h3. Summary Whenever a JIRA project has a Security Scheme defined, and a workflow transition has at least one required field, a window is opened in JIRA side so that the required field/s are selected. Among the fields displayed in this window there will be the "Security Level", in which the...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2016/05/03 5:12 p.m.19 views

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/05/03 5:12 p.m.19 views

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2016/04/22 2:13 p.m.19 views

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

2AI score
Exploits0
Atlassian
Atlassian
added 2016/04/20 7:41 a.m.19 views

Drop support Windows Quicktime plugin from Confluence multimedia plugin

The US Govt is recommending users should uninstall Quicktime for Windows http://krebsonsecurity.com/2016/04/us-cert-to-windows-users-dump-apple-quicktime/ In order to assist users transition we need to drop support for Quicktime plugin from Multimedia plugins and use the "video" tag instead...

3AI score
Exploits0
Atlassian
Atlassian
added 2016/03/21 10:33 p.m.19 views

Stored XSS in ViewWorkflowTransition.jsp

Step to reproduce: 1 Go to workflow edit page as an administrator 2 Add validator "User Permission Validator" to transition with user name parameter "alert2" 3 It will trigger xss on ViewWorkflowTransition page...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/12/07 7:52 p.m.19 views

User Picker Custom field HTML tags showing when creating new issues

h3. Summary Customer reported that when creating custom field User Picker and added html tags in description field, text link shows correctly in Custom Field screen under Administration Setting. However when creating new issues, the create issue form for User Picker field shows the HTML code not...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/12/07 7:52 p.m.19 views

User Picker Custom field HTML tags showing when creating new issues

h3. Summary Customer reported that when creating custom field User Picker and added html tags in description field, text link shows correctly in Custom Field screen under Administration Setting. However when creating new issues, the create issue form for User Picker field shows the HTML code not...

7.1AI score
Exploits0
Atlassian
Atlassian
added 2015/12/01 10:54 a.m.19 views

It is possible to access the list of patches in a review and their content by unprivileged users

We've discovered and fixed a security issue, where the attacker could using the REST API: access the list of patches in a review their filename, database id upload date and anchor details without authentication access the patch content for any review as long as he had view access to any other...

4.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/09/01 2:42 p.m.19 views

change fontset 'icons' to html entities to improve security compliance

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-38988. panel It seems that the icons in Confluence are currently rendered using fontset. This can be an issue for organization...

Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/13 8:17 a.m.19 views

Disabled Users Receive Notification from Team Calendar

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48834. panel h3. Summary Confluence disabled users that subscribed to a calendar still receive notifications when calendar have...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/04/08 10:58 a.m.19 views

Update Java version bundled in the installer

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-37164. panel The version of Java bundled with Confluence is 1.7.015 which is a little bit dated February 2013. We should bundle...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/03/30 7:14 a.m.19 views

Bundled Java Version Security Patches

At the moment, the bundled JAVA is version 1.7.015. The recent JAVA version is 1.7.72, which has many security patches http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html. Does the security vulnerabilities on bundled JAVA JRE something that we should be concerned about?...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/02/27 1:46 p.m.19 views

Restrictions not applied for inline comments in attachments

When there is a comment for a file which is attached to a restricted page, all users can see the comment, even the ones who are not allowed to see the page and its attachments. h3. Workaround for 5.7 There is no workaround for customers running Confluence 5.7. Customers are advised to upgrade to...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/02/26 12:9 a.m.19 views

XSRF - complete task request omits atl-token

Potential XSRF vulnerability in tasks. No atl-token is present in the request to complete a task which suggests an attacker may be able to craft a cross site request forgery and action a task without the correct authorisation...

3.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/02/26 12:9 a.m.19 views

XSRF - complete task request omits atl-token

Potential XSRF vulnerability in tasks. No atl-token is present in the request to complete a task which suggests an attacker may be able to craft a cross site request forgery and action a task without the correct authorisation...

3.4AI score
Exploits0
Atlassian
Atlassian
added 2015/01/23 5:27 a.m.19 views

Drop SSlv3 retry and copied CustomSSLProtocolSocketFactory.java from SAL

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-36250. panel The fix for CONF-24035 introduced a retry with SSLv3 if a connection fails. However, like workaround implemented i...

0.5AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295