Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2021/02/03 10:39 p.m.78 views

Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities

Update Atlassian Platform from 3.5.17 to 3.5.19. The new platform version brings changes in the following libraries: update com.atlassian.applinks: from 5.4.21 to 5.4.23 update com.atlassian.plugins: from 4.4.10 to 4.4.14 update com.atlassian.sal: from 3.1.2 to 3.1.3 update com.atlassian.streams:...

9.8CVSS7.8AI score0.88077EPSS
Exploits6
Atlassian
Atlassian
added 2019/02/14 10:3 p.m.78 views

Fisheye had a vulnerable version of Apache Commons FileUpload - CVE-2016-1000031

The DiskFileItem class from the Apache Commons FileUpload library before version 1.3.3 was vulnerable to CVE-2016-1000031. Atlassian Fisheye was using a vulnerable version of this library, although not the DiskFileItem class. Fisheye has been updated to use the safe version of the Apache Commons...

9.8CVSS4.1AI score0.34731EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/05/08 5:13 a.m.78 views

Command Injection (CVE-2017-8768)

SourceTree for Mac is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface. Affected versions: Versions of SourceTree for Mac starting with 1.4.0 before version 2.5.1 are affected by this vulnerability. Fix...

10CVSS3.5AI score0.08262EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/21 4:29 a.m.78 views

Upgrade bundled Tomcat due to security vulnerabilities

There are some Tomcat security vulnerabilities reported against the bundled version 7.0.32: CVE-2013-2067|http://mail-archives.apache.org/modmbox/www-announce/201305.mbox/%[email protected]%3E...

6.8CVSS2.5AI score0.11001EPSS
Exploits5Affected Software1
Atlassian
Atlassian
added 2023/04/20 12:43 p.m.77 views

A user with read permissions to a Confluence page is able to upload attachments - CVE-2023-22504

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. The affected versions are before version 7.13.17, fro...

6.5CVSS6.3AI score0.00747EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:18 a.m.77 views

DoS vulnerability in MessageBundleResource - CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed...

7.5CVSS6.8AI score0.01212EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/17 10:21 p.m.77 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6
Atlassian
Atlassian
added 2020/08/18 4:57 p.m.77 views

Git submodules vulnerability in Sourcetree for Windows - CVE-2020-5260

There was a vulnerability in Sourcetree for macOS and windows that could reveal Git user credentials via maliciously crafted URL by an attacker, This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL. Affected versions of Atlassi...

9.3CVSS4.4AI score0.10047EPSS
Exploits2
Atlassian
Atlassian
added 2020/04/16 7:26 p.m.77 views

Security misconfiguration in the /json/fe/activeUserFinder.do resource - CVE-2020-4015

The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a security misconfiguration...

4.3CVSS5.6AI score0.0096EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/18 10:44 a.m.77 views

Missing permission check in review coverage REST endpoint - CVE-2017-18035

The /rest/review-coverage-chart/1.0/data//.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistic...

4.3CVSS5.3AI score0.00803EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/12/14 11:55 p.m.77 views

Authentication fails using SSH keys since 2.3.5

Neither the Pagent agent or OpenSSH is working to authenticate since I upgraded. Switching SSH services makes no difference. If I go to the command line, using ssh -i identfile I have no issues authenticating to any system. Other symptoms include the terminal not going to the repository but using...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/11/03 12:45 a.m.76 views

DoS (Denial of Service) io.netty:netty-codec-http2 in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.19.0, 8.3.0, 8.4.0, 8.5.0, and 8.6.0 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7.2AI score0.99999EPSS
Exploits19
Atlassian
Atlassian
added 2022/07/04 12:1 p.m.76 views

Update Log4j to 1.2.17-atlassian-16 to fix CVE-2022-23305, CVE-2022-23307, CVE-2020-9493, CVE-2022-23302

Crucible in version 4.8.9 and older uses a log4j library that has the following vulnerabilities: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 / CVE-2020-9493 Crucible 4.8.10 uses a custom-built log4j, which has the above vulnerabilities fixed...

9.8CVSS7AI score0.66537EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/07 8:2 a.m.76 views

CVE-2021-43957: Bypass for CVE-2020-29446 (Local file disclosure / path traversal within WEB-INF)

Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References IDOR vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9...

7.5CVSS6AI score0.01245EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:10 a.m.76 views

A user-supplied regex in EyeQL causes ReDoS - CVE-2020-14190

Affected version of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions: 4.8.4 4.9.0...

7.5CVSS7.3AI score0.01212EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/04 11:56 p.m.76 views

Confluence on Windows was vulnerable to DLL hijacking - CVE-2019-20406

The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a dll file in a directory in the global path environmental variable variable to inject code & escala...

7.8CVSS4.6AI score0.0048EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/09 11:22 p.m.76 views

Restricting user's permissions from a page does not prevent the user from seeing it in /users/viewnotifications.action

h3. Issue Summary If a user was watching a page and then their permissions to view the page are removed, while they technically won't receive notifications about the page, they can still see the page, and thus title changes, at /users/viewnotifications.action h3. Steps to Reproduce As user A,...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/16 10:14 p.m.76 views

Improper authorization check in the WorkflowResource class removeStatus method - CVE-2019-15013

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a projec...

4.3CVSS6.1AI score0.0121EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.76 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

The version of the bundled Atlassian Application Links plugin was vulnerable to XSS. See https://ecosystem.atlassian.net/browse/APL-1361 for more details...

4.8CVSS2.1AI score0.00635EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:11 a.m.76 views

XSS in the viewdefaultdecorator resource through the key parameter - CVE-2017-18085

The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the key parameter...

6.1CVSS5.7AI score0.00825EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/10/31 12:10 p.m.76 views

Embed latest java critical security update (1.8.0.171 or higher) into the next JIRA (sub)version

h3. Problem Definition Current embedded JRE has some vulnerabilities which have been resolved in critical security update Java 1.8.0.171. Many larger companies which have a dedicated security team will ask their JIRA system admin to update the Java version to the new critical security update. Whi...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/09/15 1:28 a.m.76 views

SEN available in HTTP Response headers

Cloned from JRA-45188 h3. Summary Seems we're giving away our Support Entitlement Numbers SEN in our HTTP response headers. Risk here is that users who obtain these can then get free support in SAC. h3. Environment JIRA and Confluence Server JIRA and Confluence Cloud Potentially other apps h3...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/02/10 5:56 a.m.76 views

Security vulnerability in apache commons fileupload

Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library...

7.5CVSS4.5AI score0.83175EPSS
Exploits8
Atlassian
Atlassian
added 2024/02/14 10:47 a.m.75 views

SSRF (Server-Side Request Forgery) org.apache.xmlgraphics:batik-bridge Dependency in Jira Software Data Center and Server

This High severity org.apache.xmlgraphics:batik-bridge Dependency vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Jira Software Data Center and Server. This org.apache.xmlgraphics:batik-bridge Dependency vulnerability, with a CVSS...

7.5CVSS7.2AI score0.05791EPSS
Exploits1
Atlassian
Atlassian
added 2022/07/05 4:54 p.m.75 views

Crucible: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Crucible. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS1.9AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/07 9:59 a.m.75 views

Jira 8.19.X ships with JDK 11.0.11 which is affected by CVE-2021-2388

h3. Issue Summary Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 : https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5 Quote from doc bq. This vulnerability does not apply to Java...

7.5CVSS1AI score0.04008EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/07/17 3:19 p.m.75 views

Upgrade the bundled version of Apache Tomcat to 8.5.57

h3. Issue Summary The recently disclosed vulnerability regarding Apache Tomcat CVE-2020-13934|https://vulners.com/cve/CVE-2020-13934 affects the following versions: Apache Tomcat 8.x from 8.5.1 to 8.5.56 Apache Tomcat 9.x from 9.0.0.M5 to 9.0.36 Apache Tomcat 10.x from 10.0.0-M1 to 10.0.0-M6...

7.5CVSS7.5AI score0.87553EPSS
Exploits1
Atlassian
Atlassian
added 2020/06/18 2:45 a.m.75 views

XSS in API and Integrations - CVE-2020-14166

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in API and Integrations. Affected versions: version 4.10.0 Fixed versions: 4.10.0...

4.8CVSS5.6AI score0.0194EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:42 a.m.75 views

"Cookie Tossing" CSRF weakness against subdomains - CVE-2019-14998

The Webwork action Cross-Site Request Forgery CSRF protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance...

6.5CVSS5.9AI score0.01175EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/02/02 12:10 a.m.75 views

XSS in the editinword resource through the contents of an uploaded file - CVE-2017-18083

The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the contents of an uploaded file...

5.4CVSS5.1AI score0.00591EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/08 3:44 a.m.74 views

Json-smart Vulnerability in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 4.20.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2022/10/12 9:46 p.m.74 views

Critical severity command injection vulnerability - CVE-2022-43781

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center...

9.8CVSS2.2AI score0.98076EPSS
Exploits3
Atlassian
Atlassian
added 2022/09/14 6:31 a.m.75 views

Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970

h3. Issue Summary spring-beans is vulnerable to CVE-2022-22970 This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 7.13.9 Step 2 h3. Expected Results Expect that synchrony-proxy/WEB-INF/lib contains spring-beans-5.3.20.jar or higher h3. Actual Results...

5.3CVSS6.2AI score0.01978EPSS
Exploits1
Atlassian
Atlassian
added 2021/11/02 9:28 a.m.74 views

Unicode characters allow malicious code to be hidden from a human reviewer (Fisheye & Crucible) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Fisheye and Crucible where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS8.3AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/10/25 1:26 a.m.74 views

Non-administrators can edit the File Replication settings - CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...

6.5CVSS5.5AI score0.00981EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/24 2:0 p.m.74 views

jira.editor.user.mode cookie missing the secure attribute when Jira is configured with https - CVE-2021-26076

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn...

4.3CVSS3AI score0.01232EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:25 a.m.74 views

Information disclosure of product SEN via the x-asen response header - CVE-2020-14192

Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions:...

4.3CVSS5.1AI score0.00868EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:53 a.m.74 views

Open redirect in startup.jsp - CVE-2019-11585

The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect...

6.1CVSS5AI score0.01217EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/12 2:24 p.m.74 views

Confluence Page View Restriction is not Inherited when Ancestor CONFANCESTORS Table Gets out of Sync

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-25189. panel When Confluence ancestor CONFANCESTORS table gets out of sync or corrupted. Page View restriction are not inherite...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/11/29 11:55 p.m.73 views

Upgrade Tomcat to fix CVE-2023-46589

h3. Issue Summary This is reproducible on Data Center: / Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a later version to fix CVE-2023-46589|https://nvd.nist.gov/vuln/detail/CVE-2023-46589 h3. Environment 8.1.x to 9.4.x h3. Steps to Reproduce Check the Apache Tomcat version...

7.5CVSS7AI score0.02651EPSS
Exploits0
Atlassian
Atlassian
added 2017/12/18 2:40 a.m.73 views

XSS through the jqlQuery query parameter to the printable searchrequest issue resource - CVE-2017-14594

The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the jqlQuery query parameter...

6.1CVSS5.7AI score0.01039EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/04 2:48 a.m.73 views

Update Java version bundled found in the installer to a version >= 1.8u71

Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...

10CVSS2AI score0.14714EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/04/01 2:35 p.m.73 views

Avatars appear on Activity Stream even for anonymous users

Every user, independent of privileges, is able to see entries related to user's avatar change on Activity Stream. It also happens for users that are not logged in. See attached image...

3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/24 5:42 a.m.73 views

Warn about assigning "Anyone" group in Global and Project permissions

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-18076. panel Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We ma...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/12/20 8:46 a.m.72 views

Upgrade Struts to avoid false-positive scanner warnings about CVE-2024-53677

h3. Issue Summary Recent CVE-2024-53677 at Struts triggers vulnerability scanners warning. panel:title=Bamboo is not affected Supported versions of Bamboo 9.2+, 9.6+, 10.2+ are not affected because FileUploadInterceptor doesn't handle uploaded files. panel h3. Steps to Reproduce See WEB-INB/lib...

9.8CVSS6.6AI score0.78198EPSS
Exploits15
Atlassian
Atlassian
added 2024/02/14 10:47 a.m.72 views

RCE (Remote Code Execution) org.apache.xmlgraphics:batik-bridge Dependency in Jira Software Data Center and Server

This High severity org.apache.xmlgraphics:batik-bridge Dependency RCE Remote Code Execution vulnerability was introduced in versions 8.20.0, 8.22.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This org.apache.xmlgraphics:batik-bridge...

7.5CVSS7.7AI score0.02143EPSS
Exploits0
Atlassian
Atlassian
added 2022/04/20 8:14 p.m.72 views

A vulnerable version of Apache Tomcat was used in Jira Server (CVE-2020-9484, CVE-2022-23181)

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-9484 and CVE-2022-23181. The affected versions of Jira Server and Data Center are before version 8.13.20, from version 8.14.0 before 8.20.8, from version 8.21.0 before 8.22.2...

7CVSS7.3AI score0.56636EPSS
Exploits15
Atlassian
Atlassian
added 2021/03/10 11:5 a.m.72 views

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

Git LFS is vulnerable to remote code execution on Windows CVE-2021-21237: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix...

10CVSS5.1AI score0.82715EPSS
Exploits14Affected Software1
Atlassian
Atlassian
added 2020/06/16 2:46 a.m.72 views

XSS in WYSIWYG editor via pasted code - CVE-2020-14164

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the WYSIWYG editor. The affected versions are before 8.5.9, and from version 8.6.0 before 8.8.2. Affected versions: version...

6.1CVSS4.8AI score0.00732EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/17 7:26 p.m.72 views

Comment properties do not respect permissions

h3. Issue Summary Comment properties do not respect permissions on the comment like the docs say|https://docs.atlassian.com/software/jira/docs/api/REST/8.4.1/api/2/comment/%7BcommentId%7D/properties-getProperty This issue was reported via bugbounty...

Exploits0Affected Software1
Total number of security vulnerabilities4295