Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2013/06/19 9:30 a.m.98 views

Upgrade bundled Tomcat to the latest minor release

Customer did a Security Scan on the instance and founded the version 5.1.8 that he is using subjected to security vulnerabilities on bundled tomcat which is version 6.0.35. Security Vulnerabilities Information: http://tomcat.apache.org/security-6.htmlFixedinApacheTomcat6.0.36 So customer...

5CVSS7.1AI score0.11975EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2021/11/29 3:22 p.m.97 views

Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary Unauthorized access to data from the following API even if the public.access.disabled is enabled. /rest/api/2/projectCategory /rest/api/2/resolution /rest/menu/latest/admin h3. Steps to Reproduce - Install Jira 8.13.9 with H2 database - Create a project and some Project categori...

5.3CVSS1.3AI score0.76042EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/09/10 4:35 a.m.97 views

XStream upgrade to 1.4.18

h3. Problem XStream is vulnerable to security exploits such as highlighted in the image attached. i The list of CVEs can be found in https://x-stream.github.io/security.html This ticket tracks its upgrade to 1.4.18. h3. Environment Confluence v7.13 h3. Workaround Set...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2020/04/16 8:37 p.m.97 views

Protection Mechanism Failure in file downloading in Companion - CVE-2020-4020

The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure. h5. Acknowledgements Credit for finding...

7.2CVSS6.2AI score0.01669EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:13 a.m.97 views

DoS via missing input validation in UserPickerBrowser.jspa - CVE-2019-20413

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability on the UserPickerBrowser.jspa page. Affected versions: version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.13.9 8.4.2 8.5.0...

7.5CVSS6.8AI score0.02129EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/09 1:22 a.m.97 views

Template injection in Jira importers plugin - CVE-2019-15001

h3. Issue Summary There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin JIM. An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on...

9CVSS3AI score0.11366EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.95 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Bamboo before version 6.8.2 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/11 3:12 a.m.95 views

URL path traversal allows information disclosure - CVE-2019-15004

URL path traversal allows information disclosure - CVE-2019-15004 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is...

7.5CVSS1.4AI score0.03907EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/26 7:5 a.m.95 views

CVE-2016-6496: LDAP Java Object Injection in Crowd

The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP serve...

9.8CVSS2.5AI score0.04705EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/09/23 11:14 p.m.94 views

CPU exhaustion caused by DoS against Confluence server by requesting static batch resources

The details of this issue can be viewed here: https://asecurityteam.atlassian.net/browse/VULN-170040 The source code is located at: https://bitbucket.org/atlassian/atlassian-plugins-webresource/src/master/...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/26 4:36 p.m.93 views

RCE (Remote Code Execution) in Confluence Data Center & Server

This High severity RCE Remote Code Execution vulnerability known as CVE-2023-22508 was introduced in version 6.1.0 of Confluence Data Center & Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high...

8.8CVSS9.2AI score0.02185EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 4:9 a.m.93 views

XSS in the MigratePriorityScheme resource - CVE-2019-11584

The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the priority icon url of an issue priority...

6.1CVSS4.3AI score0.0097EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/09 8:54 p.m.93 views

Unauthenticated user can check the whitelist rules for any URL

h3. Issue Summary This issue was discovered through our bug bounty program. An unauthenticated user can check if a URL is permitted through the whitelist. noformat /rest/whitelist/1/check?url=http://www.atlassian.comnoformat returns the whitelist rules associated with http://www.atlassian.com...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/18 1:28 a.m.93 views

Bitbucket Data Center - Path traversal in the migration tool leads to RCE - CVE-2019-3397

h3. Issue Summary Bitbucket Data Center had a path traversal vulnerability in the Data Center migration tool. A remote attacker with authenticated user with admin permissions can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code executio...

9.1CVSS1.4AI score0.05057EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:41 a.m.93 views

XSS in Custom Filter Title

There is a reflected XSS in the review custom filter...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:54 a.m.93 views

CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Bamboo used an old version of the Smack XMPP library that deserialises messages received from XMPP. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo if a XMPP connection has been configured. To exploit this issue, Bamboo...

9.8CVSS4.4AI score0.02976EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/15 4:23 a.m.92 views

Upgrade standalone Tomcat to 5.5.25

We should bundle the latest version of Tomcat with standalone to pick up some fixes including the security vulnerability detailed at: https://vulners.com/cve/CVE-2007-3382 https://vulners.com/cve/CVE-2007-3385...

5CVSS6AI score0.99708EPSS
Exploits27Affected Software1
Atlassian
Atlassian
added 2022/06/09 8:36 p.m.91 views

Jira: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Jira Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS9.8AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 7:32 p.m.91 views

Search from the Slack app ignores permissions in Confluence

h3. Issue Summary Search from the Slack app ignores permissions in Confluence. There are different scenarios where we see an issue with searching Confluence from Slack: If a user doesn't have permissions to access the space, they can still search for content Search returns information from Spaces...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:20 a.m.91 views

Information Disclosure in comment restriction feature - CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. Affected versions: version 7.6.17 7.7.0 ≤ version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.6.17...

6.5CVSS5.7AI score0.01864EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/24 7:34 a.m.91 views

Missing access controls in loadattachmentversions action

The loadattachmentsversions action is accessible to any user of Confluence and returns version history information for an attachment. No access controls appear to be implemented for this action and any user of Confluence can obtain version history for any attachment, including those on pages in...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/23 12:57 a.m.90 views

Authentication Bypass in Jira Seraph - CVE-2022-0540

i Updates 2022/05/05 11:30 AM PDT Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available: Secure Code Warrior® for Jira Simple Tasklists Simple Team Pages for Jira UiPath Test Manager for Jira Xporter - Export issues from...

9.8CVSS2.5AI score0.88333EPSS
Exploits2
Atlassian
Atlassian
added 2020/04/08 3:6 a.m.89 views

Improper authentication on Convert Sub-Task to Issue page - CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names Project Key, if it is part of the workflow name Issue Keys Issue Types Status...

5.3CVSS6.3AI score0.01883EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/30 9:25 p.m.89 views

Improper authorization on project titles vulnerability in Jira - CVE-2019-20404

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. h3. Note on fix The fix was tested internally before backporting it and no issues were...

4.3CVSS4.2AI score0.01297EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/21 3:3 a.m.88 views

Jira Service Management / Insight Asset Management vulnerable to RCE Security

Description Insight - Asset Management has a feature to import data from several databases DBs. One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server remote code execution a.k.a. RCE. The H2 DB is bundled with Jira to help speed up...

8.8CVSS1.1AI score0.34986EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2021/07/09 5:44 a.m.88 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS2.3AI score0.48883EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/05/27 7:45 a.m.88 views

Include additional parameters to avoid reverse tabnabbing exploits

A customer had their Confluence instance reviewed and found that it was susceptible to Reverse Tabnabbing, like Jira is in JRASERVER-68830. Steps to replicate the issue on Confluence can be found in the file below. ^tabnabbingfindingconfluence.pdf...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/29 10:22 p.m.88 views

SSRF in OIDC Setup [Bitbucket Data Center]

h3. Issue Summary SSRF h3. Steps to Reproduce During set-up of a custom OpenID Connect identity provider in Bitbucket Server but may apply to other Data Center applications that use the same OIDC module|https://hub.docker.com/r/atlassian/bitbucket-server/, one has to specify the "Issuer URL". As...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/05 4:2 p.m.88 views

CSRF in VerifySmtpServerConnection!add.jspa - CVE-2019-20098

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumera...

4.3CVSS2.9AI score0.00815EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.88 views

Information disclosure in the listEntityLinks servlet resource - CVE-2019-15011

The version of the Application Links plugin used in Crowd before version 3.3.5, and from version 3.4.0 before version 3.4.4 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for mor...

4.3CVSS3AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 4:2 a.m.88 views

Information disclosure in the ManageFilters.jspa resource - CVE-2019-3401

The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.3AI score0.12719EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/12/21 5:4 a.m.88 views

Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

The embedded version of Git LFS|https://git-lfs.github.com used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing...

10CVSS9.3AI score0.06331EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2016/07/07 12:32 a.m.88 views

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

8.8CVSS1.8AI score0.00666EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:43 a.m.88 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2023/11/12 1:44 p.m.87 views

DoS (Denial of Service) io.netty:netty-codec-http2 in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows...

7.5CVSS7.3AI score0.99999EPSS
Exploits19
Atlassian
Atlassian
added 2022/07/05 9:1 p.m.87 views

Bitbucket: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Bitbucket Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS1.8AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/31 9:25 p.m.87 views

Project enumeration through /browse.PROJECTKEY - CVE-2020-14178

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. Affected versions: version 7.13.17 7.14.0 ≤ version 8.5.8 8.6.0 ≤ version 8.12.0 Fixed versions: 7.13.17 8.5....

7.5CVSS6.3AI score0.03051EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/20 6:2 a.m.87 views

Improper authorization on /rest/project-templates/1.0/createshared endpoint - CVE-2020-4029

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project names via an improper authorization vulnerability in the /rest/project-templates/1.0/createshared endpoint API endpoint. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 8.8.0 ≤ version...

4.3CVSS7.8AI score0.01448EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/19 8:17 p.m.87 views

Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394

Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the /confluence/WEB-INF/ directory and it's subdirectories, which may contain configuration files...

8.8CVSS2.6AI score0.11406EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2016/02/04 2:48 a.m.87 views

Update Java version bundled found in the installer to a version >= 1.8u71

Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...

10CVSS2AI score0.14714EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/26 8:4 p.m.87 views

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

6.1CVSS0.6AI score0.02302EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/05/20 4:0 a.m.86 views

XStream upgrade to 1.4.17

h3. Problem XStream is vulnerable to security exploits including CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html. This ticket tracks it's upgrade to 1.4.17 panel:title=Atlassian Update - July 2021|borderStyle=solid|borderColor=6554c0|titleBGColor=6554c0|bgColor=eae6ff We have upgrade...

8.8CVSS2.1AI score0.77735EPSS
Exploits1
Atlassian
Atlassian
added 2019/07/08 10:50 p.m.86 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Fisheye before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Fisheye...

6.1CVSS1.5AI score0.87218EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:59 a.m.86 views

CVE-2015-8361: Services exposed without authentication Vulnerability

Bamboo exposed services without first performing authentication checks. Attackers can use this vulnerability to extract confidential information from Bamboo, modify certain settings and manage build agents. To exploit this issue, attackers need to be able to access the Bamboo JMS port. Affected...

9.8CVSS2.3AI score0.02844EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/11/10 5:3 p.m.85 views

Upgrade Apache Commons-text for CVE-2022-42889

h3. DISCLAIMER panel:bgColor=e3fcef ! Confluence IS NOT VULNERABLE to CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889. This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the nex...

9.8CVSS9.1AI score0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2020/04/01 4:7 a.m.85 views

Customers created via the Customer Portal do not trigger an email verification

In affected versions of Jira Service Desk Server and Data Centre, it was possible to create customers with fake email addresses via the Customer Portal. This is now resolved with email verification. Affected versions: version 3.16.13 4.0.0 ≤ version 4.5.3 4.6.0 ≤ version 4.7.0 Fixed versions:...

5.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/07 10:17 p.m.85 views

The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability XSS. See https://ecosystem.atlassian.net/browse/UPM-5871 for more details...

5.4CVSS1.5AI score0.00591EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/10/24 12:58 a.m.85 views

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/06/03 8:8 p.m.84 views

Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7,...

9.8CVSS5.8AI score0.99999EPSS
Exploits75
Atlassian
Atlassian
added 2021/10/21 11:57 a.m.84 views

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a...

7.2CVSS2.1AI score0.04087EPSS
Exploits2Affected Software1
Total number of security vulnerabilities4295