Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2022/11/10 5:3 p.m.85 views

Upgrade Apache Commons-text for CVE-2022-42889

h3. DISCLAIMER panel:bgColor=e3fcef ! Confluence IS NOT VULNERABLE to CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889. This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the nex...

9.8CVSS9.1AI score0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2021/01/27 4:1 a.m.85 views

Gadget resource makeRequest defeats behind-the-firewall protection of app-linked resources - CVE-2021-26070

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the makeRequest gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0...

7.2CVSS6.3AI score0.01955EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/10/14 3:41 a.m.85 views

Unauthenticated user can Enumerate Issue Keys - CVE-2020-14185

Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2. Affected...

5.3CVSS5.8AI score0.02508EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/01 4:7 a.m.85 views

Customers created via the Customer Portal do not trigger an email verification

In affected versions of Jira Service Desk Server and Data Centre, it was possible to create customers with fake email addresses via the Customer Portal. This is now resolved with email verification. Affected versions: version 3.16.13 4.0.0 ≤ version 4.5.3 4.6.0 ≤ version 4.7.0 Fixed versions:...

5.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:43 a.m.85 views

Disclosure of issue key validity & issue attachment names in the render api resource - CVE-2019-14995

The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check...

5.3CVSS5.1AI score0.03012EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/04/29 4:15 a.m.85 views

Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check...

7.5CVSS4.6AI score0.0205EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.85 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/06/03 8:8 p.m.84 views

Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7,...

9.8CVSS5.8AI score0.99999EPSS
Exploits75
Atlassian
Atlassian
added 2021/10/21 11:57 a.m.84 views

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a...

7.2CVSS2.1AI score0.04087EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2021/06/30 3:9 a.m.84 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS2.3AI score0.48883EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/03/31 6:19 a.m.84 views

Information Disclosure using JQL function membersOf - CVE-2020-36286

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly...

5.3CVSS3.9AI score0.0141EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/10/19 7:1 a.m.84 views

Pre-Authorization Arbitrary File Read - access web.xml via curl with no authentication.

https://asecurityteam.atlassian.net/browse/VULN-196971 h3. Issue Summary The Atlassian Confluence, Atlassian Jira, and Atlassian Crowd are vulnerable to a Pre-Authorization Arbitrary File Read attack vector. Specifically, the /s/ endpoint can be accessed in a specific manner that enables...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/03/18 7:36 p.m.84 views

Make possible to remove valid EC2 configuration from Bamboo

An admin cannot remove valid EC2 the keys from Bamboo. After EC2 is disabled the credentials cannot be removed from the UI h3. Work Around Disable EC2 from Bamboo UI Shutdown Bamboo Edit BambooHomeDir/xml-data/configuration/administration.xml and remove code:java XXXXXXXXXXXXXX...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/08 2:49 a.m.84 views

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it...

4.3CVSS1.1AI score0.01264EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2017/03/21 8:59 p.m.84 views

The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344...

6.1CVSS3.9AI score0.71601EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:35 a.m.84 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS5.8AI score0.9986EPSS
Exploits1
Atlassian
Atlassian
added 2011/07/22 4:46 a.m.84 views

Enable X-FRAME-Options header to implement clickjacking protection

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...

Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/02 5:50 a.m.83 views

Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199

h3. Denial of service in Apache Tomcat CVE-2019-0199 A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams...

7.5CVSS2.8AI score0.72855EPSS
Exploits0
Atlassian
Atlassian
added 2014/05/26 11:49 a.m.83 views

Direct Object Reference - User Information Disclosure

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46864. panel A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious use...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/16 12:44 a.m.82 views

Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233

h3. Issue Summary Atlassian Bitbucket on Windows fails to properly set ACLs on its installation directory. Because Bitbucket installs High-privileged services, this allows for multiple privilege escalation vulnerability possibilities. h3. Affected Versions The following versions are only affected...

7.8CVSS5.8AI score0.00265EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/02 3:58 a.m.82 views

Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)

h3. Issue Summary Arbitrary Code Execution in confserver/confluence master h3. Steps to Reproduce Vulnerability: Arbitrary Code Execution Severity: color:f9423aHighcolor Project: confserver/confluence Branch: master Scan Date: Unknown Vulnerability ID: CVE-2019-17571 log4j-core is vulnerable to...

9.8CVSS4.1AI score0.6906EPSS
Exploits3
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.82 views

XSS in various resources in the issuesURL parameter - CVE-2017-18086

Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the issuesURL parameter...

6.1CVSS5.7AI score0.00825EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:11 a.m.82 views

XSS in the usermacros resource through the description of a macro - CVE-2017-18084

The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the description of a macro. Acknowledgements Atlassian would like to credit Veit Hailperin @fenceposterro...

4.8CVSS5.1AI score0.00612EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:10 a.m.82 views

XSS in the IncomingMailServers resource through the messagesThreshold parameter - CVE-2017-18039

The IncomingMailServers resource in Atlassian JIRA from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the messagesThreshold parameter...

6.1CVSS5.7AI score0.0145EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/27 7:37 p.m.82 views

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

4.3CVSS0.5AI score0.61114EPSS
Exploits5Affected Software1
Atlassian
Atlassian
added 2013/06/18 10:44 p.m.83 views

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...

9.1CVSS0.1AI score0.66578EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2013/05/21 12:23 a.m.82 views

Upgrade bundled Tomcat to 6.0.37

Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version...

6.8CVSS2.8AI score0.11975EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2023/03/09 12:4 a.m.81 views

Jira is affected by CVE-2022-42890 &

This affects the Batik library from v1.0 - v1.15 Jira 9.0.0 uses Batik v1.14. More information on vulnerability at: Information Exposure CVE-2022-41704|https://asecurityteam.atlassian.net/browse/VULN-1041609 Remote Code Execution RCE...

7.5CVSS4.1AI score0.0232EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.81 views

Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

7.5CVSS6.4AI score0.00836EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/16 6:29 p.m.81 views

Pre-Authorization Limited Arbitrary File Read in Crowd - CVE-2020-36240

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. h3. Affected versions: version 4.0.4 4.10.0 ≤ versi...

5.3CVSS6.4AI score0.0233EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:22 a.m.81 views

DoS vulnerability in MessageBundleResource - CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed...

7.5CVSS6.8AI score0.01212EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/12 8:5 p.m.81 views

Information disclosure in Login - CVE-2020-4028

Users without session information should be pushed to the login page. Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login. Affected versions: version...

5.3CVSS3.2AI score0.00862EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/05 5:5 p.m.81 views

CSRF in Application Links plugin allows network enumeration - CVE-2019-20100

Atlassian Jira Server and Data Center before version 8.7.0 use a version of the Atlassian Application Links plugin that is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to...

4.7CVSS3.1AI score0.01021EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:30 a.m.81 views

XSS in the wikirenderer component - CVE-2019-8444

The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in image attribute specification...

5.4CVSS4.6AI score0.0092EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/04/16 6:32 a.m.81 views

Multiple vulnerabilites in Java 1.7.0_15

The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for...

10CVSS0.3AI score0.07224EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/15 4:23 a.m.81 views

Upgrade standalone Tomcat to 5.5.25

We should bundle the latest version of Tomcat with standalone to pick up some fixes including the security vulnerability detailed at: https://vulners.com/cve/CVE-2007-3382 https://vulners.com/cve/CVE-2007-3385...

5CVSS6AI score0.99708EPSS
Exploits27Affected Software1
Atlassian
Atlassian
added 2021/11/01 10:27 p.m.80 views

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC and Insight Asset Management app where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These specia...

8.3CVSS2.9AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:43 p.m.80 views

Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities

Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were: CVE-2012-0881 CVE-2019-10172 CVE-2018-1000632 CVE-2016-1000031 CVE-2014-0114...

9.8CVSS7.4AI score0.96121EPSS
Exploits12Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:0 a.m.80 views

CSRF on Wallboard endpoint - CVE-2019-20411

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.13.9 8.4.2 8.5.0...

4.3CVSS7AI score0.00651EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/19 12:4 a.m.80 views

Upgrade Tomcat to the latest 8.0.x release

h3. Summary We are currently on 8.0.17 and have already been bitten by a bug in it: https://bz.apache.org/bugzilla/showbug.cgi?id=57476 We should upgrade to the latest to get the latest bugfixes. Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager...

8.8CVSS7.1AI score0.1838EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/11/01 9:59 p.m.79 views

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS3.9AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/11/01 8:34 p.m.79 views

Unicode characters allow malicious code to be hidden from a human reviewer (Confluence Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Confluence Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by th...

8.3CVSS3.8AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.79 views

User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed...

5.3CVSS6.7AI score0.01376EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/05/18 5:47 p.m.79 views

XSS in Issue Type /editworkflowscheme.jspa - CVE 2021-26080

Affected versions of Jira Server and Jira Data Center have a XSS vulnerability in the EditWorkflowScheme.jspa component which allows remote attackers to inject arbitrary HTML or JavaScript: Affected versions: version 8.5.14 8.6.0 ≤ version 8.13.6 8.14.0 ≤ version 8.16.1 Fixed versions: 8.5.14...

6.1CVSS4.8AI score0.01292EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/27 4:22 p.m.79 views

Privelege Escalation:- User having no permission is able to access logs of all private branches via ViewError Endpoint

h3. Issue Summary It has been observed that user having no permission is able to access error logs of all private branches which reveals the information related to project,agent,build etc. Bug Bounty report:...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/09 2:28 a.m.79 views

Update the bundled version of OWASP AntiSamy to address issues

The bundled version of OWASP AntiSamy in Fisheye before version 4.7.1 was vulnerable to CVE-2017-14735 https://nvd.nist.gov/vuln/detail/CVE-2017-14735 and CVE-2016-10006 https://nvd.nist.gov/vuln/detail/CVE-2016-10006...

6.1CVSS1.9AI score0.02039EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/28 4:54 a.m.79 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect JIRA...

8.1CVSS2.7AI score0.00509EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/07 8:14 a.m.78 views

Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104

Log4J version 1.2.17-atlassian-3 used in Fisheye and Crucible is vulnerable to CVE-2021-4104. The JMSAppender in Log4J 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4J configuration. Note this issue only affects Log4J 1.2 when specifically...

7.5CVSS1.9AI score0.81147EPSS
Exploits9
Atlassian
Atlassian
added 2021/11/29 3:22 p.m.78 views

Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary Unauthorized access to data from the following API even if the public.access.disabled is enabled. /rest/api/2/projectCategory /rest/api/2/resolution /rest/menu/latest/admin h3. Steps to Reproduce - Install Jira 8.13.9 with H2 database - Create a project and some Project categori...

5.3CVSS5.7AI score0.76042EPSS
Exploits1
Atlassian
Atlassian
added 2021/06/02 4:3 p.m.78 views

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Jira system is currently using underscore.js 1.9.1. However, it is being affected due to CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the...

7.2CVSS1.7AI score0.04087EPSS
Exploits2
Total number of security vulnerabilities4295