Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2013/06/19 9:30 a.m.102 views

Upgrade bundled Tomcat to the latest minor release

Customer did a Security Scan on the instance and founded the version 5.1.8 that he is using subjected to security vulnerabilities on bundled tomcat which is version 6.0.35. Security Vulnerabilities Information: http://tomcat.apache.org/security-6.htmlFixedinApacheTomcat6.0.36 So customer...

5CVSS7.1AI score0.11975EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2024/01/04 5:19 p.m.101 views

CVE-2023-48795 vulnerability on SSH

panel:title=Strict key exchange support|borderStyle=solid|borderColor=3c78b5|titleBGColor=3c78b5|bgColor=e7f4fa The server now supports strict key exchange in 8.9.10+ LTS, 8.13.6+, 8.14.5+, 8.15.4+, 8.16.3+, 8.17.1+ and 8.18.0+. If old SSH clients that don't support strict key exchange are being...

5.9CVSS6.2AI score0.93305EPSS
Exploits4
Atlassian
Atlassian
added 2021/07/14 6:40 p.m.101 views

Anonymous users can view list of installed gadgets in Jira

h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Jira instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit this URL...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/08/18 4:44 p.m.101 views

Git submodules vulnerability in Sourcetree for Mac - CVE-2020-5260

There was a vulnerability in Sourcetree for macOS and windows that could reveal Git user credentials via maliciously crafted URL by an attacker, This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL. Affected versions of Atlassi...

9.3CVSS7.7AI score0.10047EPSS
Exploits2
Atlassian
Atlassian
added 2020/04/15 7:57 p.m.101 views

Stored XSS in Confluence Server via text/rdf

h3. Issue Summary There is a stored XSS in file upload functionality of Confluence Server 7.3.3. This XSS triggers only in Firefox. Bug Bounty An authenticated attacker can upload specially crafted attachment and achieve stored XSS. h3. Steps to Reproduce Go to any Confluence page Attach xss.txt...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/10 4:31 a.m.101 views

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

Description Crowd used a version of Struts 2 that was vulnerable to CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. Affected versions: All versions of...

10CVSS1.4AI score0.99999EPSS
Exploits44
Atlassian
Atlassian
added 2021/08/16 3:40 a.m.100 views

Jira is affected by Tomcat CVE-2020-13943

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-13943|https://vulners.com/cve/CVE-2020-13943. The affected versions of Jira Server and Data Center are before version 8.5.14, from version 8.6.0 before 8.13.6, and from versi...

4.3CVSS4.8AI score0.57286EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/22 11:35 a.m.100 views

Update Apache Struts 2 to avoid CVE-2020-17530

Update Apache Struts to 2.5.26 to avoid CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061...

9.8CVSS2.1AI score0.95922EPSS
Exploits11Affected Software1
Atlassian
Atlassian
added 2019/08/09 4:9 a.m.100 views

XSS in the MigratePriorityScheme resource - CVE-2019-11584

The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the priority icon url of an issue priority...

6.1CVSS4.3AI score0.0097EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/18 10:54 a.m.100 views

Missing permission check in review coverage REST endpoint - CVE-2017-18035

The /rest/review-coverage-chart/1.0/data//.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistic...

4.3CVSS5.3AI score0.00803EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/09/21 12:10 a.m.100 views

The bundled Atlassian Activity Streams plugin had Improper Access control inside several rest inline action resource resource - CVE-2017-9506

The version of the bundled Atlassian Activity Streams plugin was vulnerable to Improper Access control. This allowed remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have...

6.1CVSS3.8AI score0.71601EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:43 a.m.100 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:20 a.m.99 views

Information Disclosure in comment restriction feature - CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. Affected versions: version 7.6.17 7.7.0 ≤ version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.6.17...

6.5CVSS5.7AI score0.01864EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/21 9:36 p.m.99 views

Uploading a malformed Word document and requesting it repeatedly renders Confluence unavailable.

h3. Issue Summary From the researcher: There is a Denial of Service issue in the "Import Word Document" functionality of Confluence Server. When importing a specially crafted word or openoffice document see attached Confluence will throw an java.lang.OutOfMemoryError:. Background: A Word document...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:57 p.m.99 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Crucible before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Crucible...

6.1CVSS2AI score0.87218EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2016/07/07 12:32 a.m.99 views

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

8.8CVSS1.8AI score0.00666EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:35 a.m.99 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2023/10/11 3:26 p.m.98 views

Upgrade moment library to 2.29.2+ as required for CVE-2022-24785 and CVE-2022-31129

Hi, Is it possible to upgrade the moment.js library to 2.29.2 on all Jira SM versions? It seems fixed in for Jira SW as mentioned https://jira.atlassian.com/browse/JRASERVER-75017 In JSM it is still discovered as a vulnerability...

7.5CVSS6.8AI score0.04923EPSS
Exploits1
Atlassian
Atlassian
added 2021/04/07 6:10 a.m.98 views

Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version...

5.3CVSS4.9AI score0.0141EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/05 4:2 p.m.98 views

CSRF in VerifySmtpServerConnection!add.jspa - CVE-2019-20098

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumera...

4.3CVSS2.9AI score0.00815EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/09/10 4:35 a.m.97 views

XStream upgrade to 1.4.18

h3. Problem XStream is vulnerable to security exploits such as highlighted in the image attached. i The list of CVEs can be found in https://x-stream.github.io/security.html This ticket tracks its upgrade to 1.4.18. h3. Environment Confluence v7.13 h3. Workaround Set...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2020/04/16 8:37 p.m.97 views

Protection Mechanism Failure in file downloading in Companion - CVE-2020-4020

The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure. h5. Acknowledgements Credit for finding...

7.2CVSS6.2AI score0.01669EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 4:15 a.m.97 views

Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check...

7.5CVSS4.6AI score0.0205EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/06/30 3:9 a.m.96 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS2.3AI score0.48883EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/10/14 3:41 a.m.96 views

Unauthenticated user can Enumerate Issue Keys - CVE-2020-14185

Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2. Affected...

5.3CVSS5.8AI score0.02508EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.95 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Bamboo before version 6.8.2 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/11 3:12 a.m.95 views

URL path traversal allows information disclosure - CVE-2019-15004

URL path traversal allows information disclosure - CVE-2019-15004 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is...

7.5CVSS1.4AI score0.03907EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/09 8:54 p.m.95 views

Unauthenticated user can check the whitelist rules for any URL

h3. Issue Summary This issue was discovered through our bug bounty program. An unauthenticated user can check if a URL is permitted through the whitelist. noformat /rest/whitelist/1/check?url=http://www.atlassian.comnoformat returns the whitelist rules associated with http://www.atlassian.com...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.95 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

The version of the bundled Atlassian Application Links plugin was vulnerable to XSS. See https://ecosystem.atlassian.net/browse/APL-1361 for more details...

4.8CVSS2.1AI score0.00635EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/26 7:5 a.m.95 views

CVE-2016-6496: LDAP Java Object Injection in Crowd

The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP serve...

9.8CVSS2.5AI score0.04705EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/26 4:36 p.m.94 views

RCE (Remote Code Execution) in Confluence Data Center & Server

This High severity RCE Remote Code Execution vulnerability known as CVE-2023-22508 was introduced in version 6.1.0 of Confluence Data Center & Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high...

8.8CVSS9.2AI score0.02185EPSS
Exploits0
Atlassian
Atlassian
added 2020/09/23 11:14 p.m.94 views

CPU exhaustion caused by DoS against Confluence server by requesting static batch resources

The details of this issue can be viewed here: https://asecurityteam.atlassian.net/browse/VULN-170040 The source code is located at: https://bitbucket.org/atlassian/atlassian-plugins-webresource/src/master/...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/12 8:5 p.m.93 views

Information disclosure in Login - CVE-2020-4028

Users without session information should be pushed to the login page. Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login. Affected versions: version...

5.3CVSS3.2AI score0.00862EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:41 a.m.93 views

XSS in Custom Filter Title

There is a reflected XSS in the review custom filter...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:54 a.m.93 views

CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Bamboo used an old version of the Smack XMPP library that deserialises messages received from XMPP. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo if a XMPP connection has been configured. To exploit this issue, Bamboo...

9.8CVSS4.4AI score0.02976EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.92 views

User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed...

5.3CVSS6.7AI score0.01422EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/16 10:14 p.m.92 views

Improper authorization check in the WorkflowResource class removeStatus method - CVE-2019-15013

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a projec...

4.3CVSS6.1AI score0.0121EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/24 7:34 a.m.92 views

Missing access controls in loadattachmentversions action

The loadattachmentsversions action is accessible to any user of Confluence and returns version history information for an attachment. No access controls appear to be implemented for this action and any user of Confluence can obtain version history for any attachment, including those on pages in...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/15 4:23 a.m.92 views

Upgrade standalone Tomcat to 5.5.25

We should bundle the latest version of Tomcat with standalone to pick up some fixes including the security vulnerability detailed at: https://vulners.com/cve/CVE-2007-3382 https://vulners.com/cve/CVE-2007-3385...

5CVSS6AI score0.99708EPSS
Exploits27Affected Software1
Atlassian
Atlassian
added 2022/06/09 8:36 p.m.91 views

Jira: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Jira Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS9.8AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 7:32 p.m.91 views

Search from the Slack app ignores permissions in Confluence

h3. Issue Summary Search from the Slack app ignores permissions in Confluence. There are different scenarios where we see an issue with searching Confluence from Slack: If a user doesn't have permissions to access the space, they can still search for content Search returns information from Spaces...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/30 9:25 p.m.91 views

Improper authorization on project titles vulnerability in Jira - CVE-2019-20404

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. h3. Note on fix The fix was tested internally before backporting it and no issues were...

4.3CVSS4.2AI score0.01297EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/23 12:57 a.m.90 views

Authentication Bypass in Jira Seraph - CVE-2022-0540

i Updates 2022/05/05 11:30 AM PDT Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available: Secure Code Warrior® for Jira Simple Tasklists Simple Team Pages for Jira UiPath Test Manager for Jira Xporter - Export issues from...

9.8CVSS2.5AI score0.88057EPSS
Exploits2
Atlassian
Atlassian
added 2021/01/21 9:12 a.m.90 views

Unauthenticated information leakage of temporary files and project keys - CVE-2021-26069

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/\id/ActionsAndOperations API endpoint. The affected versions are before...

5.3CVSS5.6AI score0.02508EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:43 a.m.90 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2023/11/12 1:44 p.m.89 views

DoS (Denial of Service) io.netty:netty-codec-http2 in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows...

7.5CVSS7.3AI score0.99999EPSS
Exploits19
Atlassian
Atlassian
added 2022/07/05 9:1 p.m.89 views

Bitbucket: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Bitbucket Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS1.8AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/25 1:26 a.m.89 views

Non-administrators can edit the File Replication settings - CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...

6.5CVSS5.5AI score0.00981EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/21 3:3 a.m.88 views

Jira Service Management / Insight Asset Management vulnerable to RCE Security

Description Insight - Asset Management has a feature to import data from several databases DBs. One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server remote code execution a.k.a. RCE. The H2 DB is bundled with Jira to help speed up...

8.8CVSS1.1AI score0.34986EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2021/07/09 5:44 a.m.88 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS2.3AI score0.48883EPSS
Exploits1Affected Software1
Total number of security vulnerabilities4295