Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2016/02/04 2:48 a.m.87 views

Update Java version bundled found in the installer to a version >= 1.8u71

Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...

10CVSS2AI score0.14714EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/26 8:4 p.m.87 views

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

6.1CVSS0.6AI score0.02302EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/01/21 6:34 p.m.86 views

XSS via ViewWorkflowSchemes.jspa, ListWorkflows.jspa - CVE-2020-36236

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version...

6.1CVSS4.8AI score0.01274EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:43 a.m.86 views

Disclosure of issue key validity & issue attachment names in the render api resource - CVE-2019-14995

The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check...

5.3CVSS5.1AI score0.03012EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:50 p.m.86 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Fisheye before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Fisheye...

6.1CVSS1.5AI score0.87218EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:59 a.m.86 views

CVE-2015-8361: Services exposed without authentication Vulnerability

Bamboo exposed services without first performing authentication checks. Attackers can use this vulnerability to extract confidential information from Bamboo, modify certain settings and manage build agents. To exploit this issue, attackers need to be able to access the Bamboo JMS port. Affected...

9.8CVSS2.3AI score0.02844EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/10/24 12:58 a.m.86 views

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/11/10 5:3 p.m.85 views

Upgrade Apache Commons-text for CVE-2022-42889

h3. DISCLAIMER panel:bgColor=e3fcef ! Confluence IS NOT VULNERABLE to CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889. This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the nex...

9.8CVSS9.1AI score0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2021/01/27 4:1 a.m.85 views

Gadget resource makeRequest defeats behind-the-firewall protection of app-linked resources - CVE-2021-26070

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the makeRequest gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0...

7.2CVSS6.3AI score0.01955EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/12 8:5 p.m.85 views

Information disclosure in Login - CVE-2020-4028

Users without session information should be pushed to the login page. Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login. Affected versions: version...

5.3CVSS3.2AI score0.00862EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/01 4:7 a.m.85 views

Customers created via the Customer Portal do not trigger an email verification

In affected versions of Jira Service Desk Server and Data Centre, it was possible to create customers with fake email addresses via the Customer Portal. This is now resolved with email verification. Affected versions: version 3.16.13 4.0.0 ≤ version 4.5.3 4.6.0 ≤ version 4.7.0 Fixed versions:...

5.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/06/03 8:8 p.m.84 views

Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7,...

9.8CVSS5.8AI score0.99999EPSS
Exploits75
Atlassian
Atlassian
added 2021/10/21 11:57 a.m.84 views

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a...

7.2CVSS2.1AI score0.04087EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2020/10/19 7:1 a.m.84 views

Pre-Authorization Arbitrary File Read - access web.xml via curl with no authentication.

https://asecurityteam.atlassian.net/browse/VULN-196971 h3. Issue Summary The Atlassian Confluence, Atlassian Jira, and Atlassian Crowd are vulnerable to a Pre-Authorization Arbitrary File Read attack vector. Specifically, the /s/ endpoint can be accessed in a specific manner that enables...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/03/18 7:36 p.m.84 views

Make possible to remove valid EC2 configuration from Bamboo

An admin cannot remove valid EC2 the keys from Bamboo. After EC2 is disabled the credentials cannot be removed from the UI h3. Work Around Disable EC2 from Bamboo UI Shutdown Bamboo Edit BambooHomeDir/xml-data/configuration/administration.xml and remove code:java XXXXXXXXXXXXXX...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/08 2:49 a.m.84 views

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it...

4.3CVSS1.1AI score0.01264EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2017/03/21 8:59 p.m.84 views

The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344...

6.1CVSS3.9AI score0.71601EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:35 a.m.84 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS5.8AI score0.9986EPSS
Exploits1
Atlassian
Atlassian
added 2011/07/22 4:46 a.m.84 views

Enable X-FRAME-Options header to implement clickjacking protection

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...

Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.84 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/02 5:50 a.m.83 views

Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199

h3. Denial of service in Apache Tomcat CVE-2019-0199 A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams...

7.5CVSS2.8AI score0.72855EPSS
Exploits0
Atlassian
Atlassian
added 2016/07/15 2:23 a.m.83 views

XSS in /includes/decorators/global-translations.jsp

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61888. panel Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: Tamper with a GET request to...

6.1CVSS5.9AI score0.02111EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2015/10/27 7:37 p.m.83 views

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

4.3CVSS0.5AI score0.61114EPSS
Exploits5Affected Software1
Atlassian
Atlassian
added 2014/05/26 11:49 a.m.83 views

Direct Object Reference - User Information Disclosure

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46864. panel A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious use...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/18 10:44 p.m.84 views

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...

9.1CVSS0.1AI score0.66578EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2023/03/09 12:4 a.m.82 views

Jira is affected by CVE-2022-42890 &

This affects the Batik library from v1.0 - v1.15 Jira 9.0.0 uses Batik v1.14. More information on vulnerability at: Information Exposure CVE-2022-41704|https://asecurityteam.atlassian.net/browse/VULN-1041609 Remote Code Execution RCE...

7.5CVSS4.1AI score0.0232EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.82 views

Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

7.5CVSS6.4AI score0.00836EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.82 views

User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed...

5.3CVSS6.7AI score0.01376EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/16 6:29 p.m.82 views

Pre-Authorization Limited Arbitrary File Read in Crowd - CVE-2020-36240

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. h3. Affected versions: version 4.0.4 4.10.0 ≤ versi...

5.3CVSS6.4AI score0.0233EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/16 12:44 a.m.82 views

Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233

h3. Issue Summary Atlassian Bitbucket on Windows fails to properly set ACLs on its installation directory. Because Bitbucket installs High-privileged services, this allows for multiple privilege escalation vulnerability possibilities. h3. Affected Versions The following versions are only affected...

7.8CVSS5.8AI score0.00265EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/02 3:58 a.m.82 views

Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)

h3. Issue Summary Arbitrary Code Execution in confserver/confluence master h3. Steps to Reproduce Vulnerability: Arbitrary Code Execution Severity: color:f9423aHighcolor Project: confserver/confluence Branch: master Scan Date: Unknown Vulnerability ID: CVE-2019-17571 log4j-core is vulnerable to...

9.8CVSS4.1AI score0.6906EPSS
Exploits3
Atlassian
Atlassian
added 2020/02/05 5:5 p.m.82 views

CSRF in Application Links plugin allows network enumeration - CVE-2019-20100

Atlassian Jira Server and Data Center before version 8.7.0 use a version of the Atlassian Application Links plugin that is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to...

4.7CVSS3.1AI score0.01021EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.82 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

The version of the bundled Atlassian Application Links plugin was vulnerable to XSS. See https://ecosystem.atlassian.net/browse/APL-1361 for more details...

4.8CVSS2.1AI score0.00635EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.82 views

XSS in various resources in the issuesURL parameter - CVE-2017-18086

Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the issuesURL parameter...

6.1CVSS5.7AI score0.00825EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:11 a.m.82 views

XSS in the usermacros resource through the description of a macro - CVE-2017-18084

The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the description of a macro. Acknowledgements Atlassian would like to credit Veit Hailperin @fenceposterro...

4.8CVSS5.1AI score0.00612EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/28 4:54 a.m.82 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect JIRA...

8.1CVSS2.7AI score0.00509EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/21 12:23 a.m.82 views

Upgrade bundled Tomcat to 6.0.37

Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version...

6.8CVSS2.8AI score0.11975EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2008/01/15 4:23 a.m.82 views

Upgrade standalone Tomcat to 5.5.25

We should bundle the latest version of Tomcat with standalone to pick up some fixes including the security vulnerability detailed at: https://vulners.com/cve/CVE-2007-3382 https://vulners.com/cve/CVE-2007-3385...

5CVSS6AI score0.99708EPSS
Exploits27Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:22 a.m.81 views

DoS vulnerability in MessageBundleResource - CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed...

7.5CVSS6.8AI score0.01212EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:30 a.m.81 views

XSS in the wikirenderer component - CVE-2019-8444

The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in image attribute specification...

5.4CVSS4.6AI score0.0092EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/04/16 6:32 a.m.81 views

Multiple vulnerabilites in Java 1.7.0_15

The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for...

10CVSS0.3AI score0.07224EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/11/01 10:27 p.m.80 views

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC and Insight Asset Management app where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These specia...

8.3CVSS2.9AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/11/01 9:59 p.m.80 views

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS3.9AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/05/18 5:47 p.m.80 views

XSS in Issue Type /editworkflowscheme.jspa - CVE 2021-26080

Affected versions of Jira Server and Jira Data Center have a XSS vulnerability in the EditWorkflowScheme.jspa component which allows remote attackers to inject arbitrary HTML or JavaScript: Affected versions: version 8.5.14 8.6.0 ≤ version 8.13.6 8.14.0 ≤ version 8.16.1 Fixed versions: 8.5.14...

6.1CVSS4.8AI score0.01292EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/24 2:0 p.m.80 views

jira.editor.user.mode cookie missing the secure attribute when Jira is configured with https - CVE-2021-26076

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn...

4.3CVSS3AI score0.01232EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:43 p.m.80 views

Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities

Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were: CVE-2012-0881 CVE-2019-10172 CVE-2018-1000632 CVE-2016-1000031 CVE-2014-0114...

9.8CVSS7.4AI score0.96121EPSS
Exploits12Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:39 p.m.80 views

Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities

Update Atlassian Platform from 3.5.17 to 3.5.19. The new platform version brings changes in the following libraries: update com.atlassian.applinks: from 5.4.21 to 5.4.23 update com.atlassian.plugins: from 4.4.10 to 4.4.14 update com.atlassian.sal: from 3.1.2 to 3.1.3 update com.atlassian.streams:...

9.8CVSS7.8AI score0.88077EPSS
Exploits6
Atlassian
Atlassian
added 2020/04/08 3:0 a.m.80 views

CSRF on Wallboard endpoint - CVE-2019-20411

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.13.9 8.4.2 8.5.0...

4.3CVSS7AI score0.00651EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/16 10:14 p.m.80 views

Improper authorization check in the WorkflowResource class removeStatus method - CVE-2019-15013

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a projec...

4.3CVSS6.1AI score0.0121EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/19 12:4 a.m.80 views

Upgrade Tomcat to the latest 8.0.x release

h3. Summary We are currently on 8.0.17 and have already been bitten by a bug in it: https://bz.apache.org/bugzilla/showbug.cgi?id=57476 We should upgrade to the latest to get the latest bugfixes. Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager...

8.8CVSS7.1AI score0.1838EPSS
Exploits0Affected Software1
Total number of security vulnerabilities4295