Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2025/09/09 2:9 a.m.•17 views

DoS (Denial of Service) commons-fileupload:commons-fileupload Dependency in Crucible Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 4.9.0 of Crucible Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS8.7AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
•added 2025/08/13 6:9 a.m.•17 views

Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an...

7.5CVSS7.3AI score0.03163EPSS
Exploits0
Atlassian
Atlassian
•added 2025/08/13 6:9 a.m.•17 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7.2AI score0.54877EPSS
Exploits1
Atlassian
Atlassian
•added 2025/08/13 6:8 a.m.•17 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7.2AI score0.0196EPSS
Exploits0
Atlassian
Atlassian
•added 2025/07/09 4:9 a.m.•17 views

Security Misconfiguration vulnerability in Bitbucket Data Center and Server

This High severity Security Misconfiguration Dependency vulnerability was introduced in versions 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bitbucket Data Center and Server. This Security Misconfiguration vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...

8.2CVSS7.1AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
•added 2025/07/05 5:9 a.m.•17 views

BASM (Broken Authentication and Session Management) org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 10.3.0 and 10.7.1 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an...

7.5CVSS7.3AI score0.03163EPSS
Exploits0
Atlassian
Atlassian
•added 2025/06/05 6:8 a.m.•17 views

DoS (Denial of Service) Third-Party Dependency in Crowd Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 6.1.0 and 6.2.0 of Crowd Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated...

7.5CVSS7.8AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
•added 2025/03/11 2:55 p.m.•17 views

Dummy Issue

h3. Issue Summary This issue is created to test the automation rule to restrict the access level in case of a security bug. h3. Steps to Reproduce Dummy step 1 Dummy step 2 h3. Expected Results Dummy h3. Actual Results The below exception is thrown in the xxxxxxx.log file: noformat ... noformat h...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2025/02/27 5:14 a.m.•17 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bitbucket Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data Center. This...

7.5CVSS7.1AI score0.011EPSS
Exploits0
Atlassian
Atlassian
•added 2024/12/12 1:15 p.m.•17 views

DoS (Denial of Service) ua-parser.js Dependency in Crowd Data Center

This High severity DoS Denial of Service vulnerability, caused by ua-parserj.js, was introduced in versions 6.0.4 and 6.1.2 of Crowd Data Center. This DoS Denial of Service, with a CVSS Score of 7.5 and a CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, allows an unauthenticated...

7.5CVSS6.7AI score0.01725EPSS
Exploits2
Atlassian
Atlassian
•added 2022/03/07 8:14 a.m.•17 views

Update atlassian-gadgets to 4.2.41 to fix information leak

The atlassian-gadgets library bundled in Crucible allowed an information leak about installed plugins to anonymous users...

6.7AI score
Exploits0
Atlassian
Atlassian
•added 2019/06/03 3:47 a.m.•17 views

Changing public flag in Repository Permissions does not reflect on mirrors

h3. Issue Summary When Public flag is enabled/disabled for a mirrored repository, it doesn't sync on corresponding mirrors. h3. Steps to Reproduce Setup BbS Mirror and approve it on upstream. Create a repository in some project, let's say Project A, and set Public flag as Enabled in Repository...

1.8AI score
Exploits0
Atlassian
Atlassian
•added 2018/10/23 8:19 a.m.•18 views

JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone

h3. Summary JIRA Anonymous User Is Able To Search For Creator Name Via JQL Search Screen|http://localhost:8080/issues/?jql= By Insert Full User Name Even When Browse User Global Permission Doesn't Allow "Anyone". This is definitely not an expected behavior if "Browse User" wasn't set to anyone...

Exploits0
Atlassian
Atlassian
•added 2017/03/04 9:49 a.m.•17 views

Lucene query checks plan permission against random plan

h1. Summary Bamboo runs permission validation against random plan when execute report h1. Details When execute report generator Bamboo checks if user has READ permission to plan. Sometimes it checks it against another plan User mode Create 2 plans Plan1 and Plan2 in same project. And execute them...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/19 9:31 a.m.•17 views

Update application-links to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/06 11:12 a.m.•17 views

Non-admin User Should not be able to see all users/groups in drop down

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Portfolio Server. Using JIRA Portfolio Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JPOCLOUD-1781. panel h3. Summary In Plan configuration Permissions Plan access. Non-admin users can try to add Viewers and see all...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/28 4:10 a.m.•17 views

Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-45392. panel For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets ...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/09 11:9 a.m.•17 views

User Management - Space View and Edit Control

With our Confluence users linking to LDAP, it is difficult having to create and delete groups to control permissions. Whilst it is great having permission controls for each space, this can be a nightmare going through each one to control individual users and having a list the length of my arm to...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/09 11:9 a.m.•17 views

User Management - Space View and Edit Control

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-45194. panel With our Confluence users linking to LDAP, it is difficult having to create and delete groups to control...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/02 7:29 a.m.•17 views

SECURITY: Update application-links in JIRA Server to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case JIRA server would update application-links from version 5.2.3 to version 5.2.4...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/08/10 5:55 p.m.•17 views

Secure SSL flag does not work when using Delegated LDAP

h3. Summary The Secure SSL flag under the Advanced Settings section in the LDAP settings does not work when using Delegated LDAP/Internal with LDAP Authentication in JIRA. h3. Steps to Reproduce Add a Delegated LDAP AD in JIRA Checking the Secure SSL checkbox and hit the Save and Test button if w...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2016/08/10 1:39 p.m.•17 views

Information disclosure on non protected page

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-43406. panel In confluence, a user can navigate to the page "/notfound", and receive a standard "Page Not Found". This page...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/06/14 12:29 p.m.•17 views

group normalisation from 4.0 upgrade tasks is breaking permissions

Group normalisation from 4.0 upgrade tasks is breaking permissions. Scenario: backup created for 3.1.7 instance, repo "repo-uppercase-access" configured with "GROUP-A" can read access backup file restored on 4.1 instance, I can see following messages in the upgrade log code$ grep -i renam...

0.6AI score
Exploits0
Atlassian
Atlassian
•added 2016/02/09 10:50 a.m.•17 views

XSS vulnerability found in profile settings

There was a XSS vulnerability found in profile settings pages...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2016/02/09 10:49 a.m.•17 views

XSS vulnerability found in profile settings

There was a XSS vulnerability found in profile settings pages...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2015/10/12 8:53 a.m.•17 views

XSS in review file paths

We have identified a XSS vulnerability introduced in Crucible 3.9.0. Fix was included in 3.9.1 version released publicly on September 10th, 2015...

3.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/18 10:9 p.m.•17 views

Content Spoofing in UpdateMyJiraHome

A third party scan found that the ConvertIssue.jspa action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users. How to reproduce: 1- go to...

0.5AI score
Exploits0
Atlassian
Atlassian
•added 2015/06/04 10:6 p.m.•17 views

Remove old plugin manager

The old plugin manager is still available in confluence if you know the URL ../admin/viewplugins.action it looks quite terrible and given it is almost an unknown feature most of the current Confluence Team would not know to fix it if there are security problems with it. It was kept when we put UP...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/03/15 10:56 p.m.•17 views

Restricted blog post visible in the month summary page

Steps to reproduce: 1. create a new blog post, and restrict it to yourself 2. log in as another user and go to Blogs in sidebar 3. blog is not visible in the blogs summary page 4. click a visible blog in the same month 5. click the month link in the breadcrumb 5. restricted blog title and excerpt...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/02/05 8:33 p.m.•17 views

Authentication fails on Push to Stash

When I attempt to Push commit of a few dozen files to the Stash-hosted Git repository, I receive the attached error indicating an authentication failure...

2AI score
Exploits0
Atlassian
Atlassian
•added 2015/01/14 11:25 a.m.•17 views

Disable SSLv3 in outgoing HTTPS connections from Confluence

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-36165. panel SSLv3 is an old protocol and has been superseded by TLSv1.0, TLSv1.1 and TLSv1.2. TLSv1.0 was first defined in...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/01/14 11:25 a.m.•17 views

Disable SSLv3 in outgoing HTTPS connections from Confluence

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-36165. panel SSLv3 is an old protocol and has been superseded by TLSv1.0, TLSv1.1 and TLSv1.2. TLSv1.0 was first defined in...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/12/18 11:32 p.m.•17 views

Update Embedded git version

Today was announced that Git contains "A critical Git security vulnerability". It would be nice that in the options panel of sourcetree on the tab git, the button "Update embedded git" downloads the latest version of git 1.9.5. https://github.com/blog/1938-git-client-vulnerability-announced...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/12/02 7:41 a.m.•17 views

XSS vulnerability in "children" macro when displaying excerpts

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-35777. panel - Create a parent page A with a child page B - Add an \excerpt\ macro to B containing the text alert"Gotcha!"; - A...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/11/03 8:38 a.m.•17 views

user receives email notification even though restriction have been applied to the page

Steps to reproduce : Login to Confluence Create a page Insert a team calendar into the page Ask a user A to watch the page Make changes to team calendar User A is receiving email notification for the calendar as expected Creator of the page restrict the page with the calendar from being viewed by...

0.7AI score
Exploits0
Atlassian
Atlassian
•added 2014/10/30 9:18 a.m.•17 views

After disable SSL 3.0 (cause of Poodle) Jira doesn't work

After following this description: https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA?focusedCommentId=683541348&comment-683541348 Jira doesnt work anymore. Our default server.xml contains following: scheme="https" secure="true"...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/14 5:42 p.m.•17 views

Adding Subscription Cal by URL stores user password unencrypted

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-48402. panel I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/14 3:23 a.m.•17 views

Mail sever configuration page sends mail server password back in the html

The mail server configuration page fills in the current mail server password in the html and it should not. Instead a place-holder value should be used instead of the current password value and if the place-holder value is submitted in a request then the mail server password is not updated...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/08 7:14 a.m.•17 views

Session ID URL's in logfile

Hi, In the logfiles you can see the session ID's in the URL. Can this be used to hack into a another account?...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/01 2:52 p.m.•17 views

Confluence Security Settings not respected by Confluence Questions

Hi Atlassian team, in our Confluence configuration we set "User email visibility" to "only visible to site administrators" However, we use the Confluence Questions plugin and if we click there on a Contact and "Contact info", the email is displayed even to anonymous users. As I am on vaccation fo...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/09/06 3:12 p.m.•17 views

Tools/Share sends e-mail to disabled users

I have Confluence/JIRA latest versions self hosted. Confluence gets its users from JIRA. I created a new topic and then used the Tools/Share option to notify all of the new topic. I used "jira-users" to send the message to. It sent to everyone including disabled users. I would expect the behavior...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/08/15 11:35 p.m.•17 views

"Issue Does Not Exist" page leaks information to non-logged in users

Trying to open a URL for an issue that does not exist shows the "Issue Does Not Exist" error page, even if you are logged out and the project is not publicly viewable. In contrast, trying to open the URL for valid issue will prompt the user to login. In this way, an unprivileged user can learn...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/08/06 11:30 p.m.•17 views

Stored XSS Vulnerability found on Atlassian

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47027. panel Hi ! I am writing this email to let you know of a Stored XSS Vulnerability that i found on atlassian.com . You wil...

5.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/07/29 9:27 p.m.•18 views

Password for LDAP Connection Displayed in the "directoryConfigurationSummary.txt" file

In the Support.zip|https://confluence.atlassian.com/display/DOC/Troubleshooting+Problems+and+Requesting+Technical+SupportTroubleshootingProblemsandRequestingTechnicalSupport-Method1:UsingtheSupportRequestFormviatheConfluenceAdministrationConsole there is a file named...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/07/28 4:26 a.m.•17 views

Content injection caused by failing to encode the url

The exampleURLPrefix variable given to the single-xml-header.vm|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/resources/templates/plugins/issueviews/single-xml-header.vm11 or...

1.2AI score
Exploits0
Atlassian
Atlassian
•added 2014/07/17 9:19 a.m.•17 views

Upgrade to Application Links 4.2.4, SAL 2.12.2+

We have vulnerability in application links: https://jira.atlassian.com/browse/JRA-38918 Bumping applinks to 4.2.4 and SAL to 2.10.20 will fix the problem. Product should implement IFRAME page capability in their login page provided by LoginUriProvider...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/06/25 11:54 p.m.•17 views

Bruteforce Attack via Applinks Servlet

An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts. The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attemp...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/05/26 2:4 p.m.•17 views

Persistent Cross Site Scripting Flaw in User Profiles

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46664. panel A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/04/30 9:37 a.m.•17 views

Unauthenticated User can access certain pages on a private JIRA instance

When you enter the URL of a private JIRA instance on the Quick Search from the login page, you will be directed to the Issue Navigator. !mark2.jpg|thumbnail! If you click the "Status" drop down button, you the unauthenticated user would be able to see the status codes. !mark1.jpg|thumbnail! If yo...

2.9AI score
Exploits0
Atlassian
Atlassian
•added 2014/02/20 4:9 p.m.•17 views

Restricted JIRA comments appear in Confluence notification inbox

If a user is watching a JIRA issue, and a restricted comment is made on that issue that the user should not be able to see, the notification still appears in their Confluence notification inbox. When the user navigates to the issue, the correctly are not allowed to see the comment. This is a...

2.7AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295