4295 matches found
Allow embedding multimedia content located on remote servers
Re: CSP-8387 Currently, when embedding multimedia content on Confluence you are restricted to embedding files located on the Confluence server. The page http://confluence.atlassian.com/display/CONF20/Embedding+Multimedia+Content singles out "security reasons" as the reason for this limitation. In...
Authentication via os_username and os_password URL params is broken
Logging in by specifying username/password in the URL like this: noformathttp://jira.atlassian.com/browse/XYZ-114?decorator=none&view=rss&osusername=LOGIN&ospassword=PASSWORDnoformat used to work. tested with JIRA 3.6.3 Now you get presented with an undecorated "not logged in" message. This issue...
Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date
emphasized textSimilar to JRA-12410 - deleting a custom field does not adequately clean up after itself. Specifically, affected issues are not reindexed so the updated security and permission aspects are not reflected in search results which is a security hole. Note that a naive fix may produce...
Make anonymiser more strict about the translation of values
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-12420. panel the anonymiser replaces letter and number characters in string values during xml backup. A more strict anonymiser would replace...
publically available usernames are a security risk
The login username of users is revealed all over the place in URLs that link to user profile, or user's list of assigned open bugs etc. This seems to be a big security risk, because you have given away half of the user identification to strangers. Anybody can look up a user in the issue tracker a...
Encrypt all passwords stored on the file system
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-2146. panel Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be. Resolve an...
A page containing the rss-macro is not displayed if the requested rss-feed is "down"
A page containing the rss-feed macro is not shown if the requested rss-feed is "down" there's no response sent to the browser. It would certainly be better if the page could be displayed anyway; perhaps with a message stating that the feed contents can't be fetched...
Applet certificate is not trusted.
You need to get a proper certificate for the applet - or else there will be some disquiet amongst some corporate users - and their IT Security overlords...
DoS (Denial of Service) glob-parent Dependency in Jira Service Management Data Center
This High severity DoS Denial of Service vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, and 11.2.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVS...
DoS (Denial of Service) axios Dependency in Crowd Data Center
This High severity RCE Remote Code Execution vulnerability was introduced in versions 5.3.1, 6.0.0, 6.1.3, 6.2.2, 6.3.0, 7.0.0, and 7.1.0 of Crowd Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...
DOM-based XSS @remix-run/router Dependency in Crowd Data Center
This High severity DOM-based XSS vulnerability was introduced in version 7.1.0 of Crowd Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N allows an unauthenticated attacker to execute arbitrary HTML or JavaScrip...
DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server
This High severity DoS Denial of Service vulnerability was introduced in version 9.12.2, 9.13.0, 9.14.0, 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Software Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score ...
Injection sha.js Dependency in Jira Software Data Center and Server
This High severity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, 11.1.0, and 11.2.0 of Jira Software Data Center and Server. This Injection vulnerability, with a CVSS Score of 9.1 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:Hcode allows an...
DoS (Denial of Service) cross-spawn Dependency in Jira Software Data Center and Server
This High severity DoS Denial of Service vulnerability was introduced in versions 6.0.5 and 10.3.0 of Jira Software Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.7 and a CVSS Vector of code:java...
DoS (Denial of Service) qs Dependency in Jira Software Data Center and Server
This High severity DoS Denial of Service vulnerability was introduced in version 10.3.14 of Jira Software Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of code:java...
Improper Authorization org.springframework:spring-core Dependency in Bitbucket Data Center and Server
This High severity Improper Authorization vulnerability was introduced in version 8.19.0 and 9.4.0 of Bitbucket Data Center and Server. This Improper Authorization vulnerability, with a CVSS Score of 7.5, allows an attacker to potentially perform actions to circumvent authorization checks, which...
XXE (XML External Entity Injection) in Jira Software Data Center and Server
This High severity XXE XML External Entity Injection vulnerability was introduced in version 11.2.0 of Jira Software Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an...
XXE (XML External Entity Injection) in Jira Service Management Data Center and Server
This High severity XXE XML External Entity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, and 11.1.0 of Jira Service Management Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 8.4 and a CVSS Vector of...
XXE (XML External Entity Injection) Tika Dependency Vulnerability in Crowd Data Center and Server
This Crowd release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation...
XXE (XML External Entity Injection) Tika Dependency Vulnerability in Bamboo Data Center and Server
This Bamboo release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation...
DoS (Denial of Service) commons-fileupload:commons-fileupload Dependency in Jira Software Data Center and Server
This High severity DoS Denial of Service vulnerability known as CVE-2025-48976 was introduced in 9.12.1 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take...
DoS (Denial of Service) minimatch Dependency in Jira Software Data Center and Server
This High severity DoS Denial of Service vulnerability known as CVE-2022-3517 was introduced in 10.3.13 of Jira Software Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take...
Prototype Pollution Third-Party Dependency in Bitbucket Data Center and Server - CVE-2020-28471
This High severity vulnerability known as CVE-2020-28471 was introduced in 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6, 8.19.7, 8.19.8, 8.19.9, 8.19.10, 8.19.11, 8.19.12, 8.19.13, 8.19.14, 8.19.15 of Bitbucket Data Center and Server. This vulnerability with a CVSS Score of 7.3 and a CV...
RCE (Remote Code Execution) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2016-1000027
note: This is a critical vulnerability in a non-Atlassian Bitbucket dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. This...
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2023-52428
This High severity vulnerability known as CVE-2023-52428 was introduced in 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.6.4, 8.7.0, 8.7.1, 8.7.2, 8.7.3, 8.7.4, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.9.0...
DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2025-22166
This High severity DoS Denial of Service vulnerability was introduced in version 2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely...
DoS (Denial of Service) Third-Party Dependency in Jira Software Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.0, and 11.0.0 of Jira Software Data Center and Server. This Third-Party Dependency...
DoS (Denial of Service) commons-fileupload:commons-fileupload Dependency in Crucible Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in version 4.9.0 of Crucible Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...
Third-Party Dependency in Bitbucket Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an...
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...
DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...
Security Misconfiguration vulnerability in Bitbucket Data Center and Server
This High severity Security Misconfiguration Dependency vulnerability was introduced in versions 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bitbucket Data Center and Server. This Security Misconfiguration vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...
BASM (Broken Authentication and Session Management) org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 10.3.0 and 10.7.1 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an...
DoS (Denial of Service) Third-Party Dependency in Crowd Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 6.1.0 and 6.2.0 of Crowd Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated...
DoS (Denial of Service) io.netty:netty-handler Dependency in Jira Software Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in versions 9.11.3, 9.12.0, 9.13.0, 9.14.0, 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7....
Dummy Issue
h3. Issue Summary This issue is created to test the automation rule to restrict the access level in case of a security bug. h3. Steps to Reproduce Dummy step 1 Dummy step 2 h3. Expected Results Dummy h3. Actual Results The below exception is thrown in the xxxxxxx.log file: noformat ... noformat h...
DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bitbucket Data Center and Server
This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data Center. This...
DoS (Denial of Service) ua-parser.js Dependency in Crowd Data Center
This High severity DoS Denial of Service vulnerability, caused by ua-parserj.js, was introduced in versions 6.0.4 and 6.1.2 of Crowd Data Center. This DoS Denial of Service, with a CVSS Score of 7.5 and a CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, allows an unauthenticated...
Update atlassian-gadgets to 4.2.41 to fix information leak
The atlassian-gadgets library bundled in Crucible allowed an information leak about installed plugins to anonymous users...
Changing public flag in Repository Permissions does not reflect on mirrors
h3. Issue Summary When Public flag is enabled/disabled for a mirrored repository, it doesn't sync on corresponding mirrors. h3. Steps to Reproduce Setup BbS Mirror and approve it on upstream. Create a repository in some project, let's say Project A, and set Public flag as Enabled in Repository...
JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone
h3. Summary JIRA Anonymous User Is Able To Search For Creator Name Via JQL Search Screen|http://localhost:8080/issues/?jql= By Insert Full User Name Even When Browse User Global Permission Doesn't Allow "Anyone". This is definitely not an expected behavior if "Browse User" wasn't set to anyone...
Lucene query checks plan permission against random plan
h1. Summary Bamboo runs permission validation against random plan when execute report h1. Details When execute report generator Bamboo checks if user has READ permission to plan. Sometimes it checks it against another plan User mode Create 2 plans Plan1 and Plan2 in same project. And execute them...
Update application-links to fix APL-1327
Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...
Non-admin User Should not be able to see all users/groups in drop down
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Portfolio Server. Using JIRA Portfolio Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JPOCLOUD-1781. panel h3. Summary In Plan configuration Permissions Plan access. Non-admin users can try to add Viewers and see all...
Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-45392. panel For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets ...
User Management - Space View and Edit Control
With our Confluence users linking to LDAP, it is difficult having to create and delete groups to control permissions. Whilst it is great having permission controls for each space, this can be a nightmare going through each one to control individual users and having a list the length of my arm to...
User Management - Space View and Edit Control
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-45194. panel With our Confluence users linking to LDAP, it is difficult having to create and delete groups to control...
SECURITY: Update application-links in JIRA Server to fix APL-1327
Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case JIRA server would update application-links from version 5.2.3 to version 5.2.4...
Secure SSL flag does not work when using Delegated LDAP
h3. Summary The Secure SSL flag under the Advanced Settings section in the LDAP settings does not work when using Delegated LDAP/Internal with LDAP Authentication in JIRA. h3. Steps to Reproduce Add a Delegated LDAP AD in JIRA Checking the Secure SSL checkbox and hit the Save and Test button if w...
Information disclosure on non protected page
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-43406. panel In confluence, a user can navigate to the page "/notfound", and receive a standard "Page Not Found". This page...