DoS (Denial of Service) org.eclipse.jetty:jetty-io in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.10.1, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

Info Disclosure org.eclipse.jetty:jetty-util in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.10.1, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

org.apache.velocity Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, and 7.21.7 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of...

User with system administrator privilege can search restricted pages.

h3. Issue Summary Starting Confluence 8.5.1 when a user is granted System administrator permission at Global permissions. The user can search for Restricted content and the restricted page gets displayed in search, when tried to access it says "Page can't be found". This behaviour is not...

XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990

h2. Summary of Vulnerability Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection atta...

RCE (Remote Code Execution) in Bitbucket Data Center and Server - CVE-2022-1471

h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE Remote Code Execution. i Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed...

org.apache.tomcat:tomcat-catalina Vulnerability in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.2.2, 9.2.3 and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticat...

FALSE POSITIVE - OpenSearch Vulnerability in Bitbucket Data Center and Server

Notice of FALSE POSITIVE After review, it has been determined that CVE-2022-41906 DOES NOT affect ANY version of Bitbucket Data Center or Bitbucket Server. We have updated our bulletin and Jira tickets to reflect this update. We have taken action to prevent this false-positive from appearing in o...

As a sys admin user without permissions to view a restricted space, I can see activity for it but cannot view the space or pages in it

h3. Issue Summary This is reproducible on Data Center: YES. h3. Steps to Reproduce h4. Steps on Bulldog: Sign in as a user with all of these permissions: Can Use, Personal Space, Create Spaces, Confluence Administrator optional, System Administrator. Note that this use should not be present in th...

Creating tickets via mail adds recipient address to watchers, without necessary permissions

h3. Issue Summary This is reproducible on Data Center: yes h3. Steps to Reproduce create an email channel for Jira with the email address of a user without license in Jira the user should exist in Jira and not have application access configure the mail puller to create tickets for the email sende...

RCE (Remote Code Execution) in Bitbucket Data Center and Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to...

RCE (Remote Code Execution) in Confluence Data Center and Server - CVE-2022-1471

h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE Remote Code Execution. i Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed v...

websudo does not work for space admins in Confluence version 8.5.1

h3. Issue Summary This is reproducible on the Data Center: yes Issue happens only on 8.5.1 and works fine on 8.5.0 h3. Steps to Reproduce 1. Install Confluence Data Center 8.5.1 2. Create a Confluence test user with can use permissions in Global permissions 3. Assign all the space permissions in ...

QueryCompenentRenderer API returns project key

When an unauthenticated remote attacker accesses "/secure/QueryComponentRendererValue!Default.jspa?pid=10000", the project key is returned: code:java "project":"name":"Project","viewHtml":" \n \n Project:\n \n Project id=10,000 \n","editHtml":"\n","jql":"project =...

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 5.6 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely...

Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 8.1.12 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with CVSS Scores of 7.5, and CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an attacker to expose assets in yo...

Upgrade Tomcat to fix CVE-2023-41080

h3. Problem Apache Tomcat should be upgraded to 9.0.80 or a later version to fix CVE-2023-41080|https://nvd.nist.gov/vuln/detail/CVE-2023-41080 h3. Environment Jira v9.11 h3. Steps to Reproduce Current bundled Tomcat version is Tomcat 9.0.75 which is vulnerable to CVE-2023-41080. Upgrade Tomcat t...

Log in to Customer portal can redirect user to a completely different URL

h3. Issue Summary Able to redirect to a completely different URL after login to JSM portal This is reproducible on Data Center: yes h3. Steps to Reproduce Set up a JSM project Open an incognito window Browse the link JIRABASEURL/servicedesk/customer/user/login?absolute=true&destination=//google.c...

Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter

h3. Issue Summary Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter. This is reproducible on Data Center: yes h3. Steps to Reproduce Log into JIRA with a user which does not have Browse Users...

Third-Party Dependency Vulnerability in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 4.20.0 of Jira Service Management Data Center and Server. This vulnerability, with CVSS Scores of 7.5, and CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, allows an unauthenticated attacker to expose...

Smart commits are processed in Jira for repositories without smart commits when synced via git webhooks

h3. Issue Summary This is reproducible on Data Center: yes Explanation: This bug shows up only for integration using webhooks. Smar commits works correctly when data is being synced during hourly polling job. Environment requirements: Jira needs to be available for Git instance to let git webhook...

Team Calendars is not loading Jira Agile Sprint Events

h3. Issue Summary Team Calendars is not loading Jira Agile Sprint Events This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 8.4.0 and Jira 9.9.1 Set up application link and sample Jira project Add Jira Agile Event h3. Expected Results Expect Jira Agile Events to...

Third-Party Dependency Vulnerability in Confluence

This high severity Patch Management vulnerability was introduced in version 7.13.15 of Confluence Data Center & Server. This Patch Management vulnerability, with CVSS Scores of 7.5, allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has no...

Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting

h3. Issue Summary When using the open-source Jira Python library|https://github.com/pycontribs/jira to make REST API calls to Jira, if cookie-based authentication|https://jira.readthedocs.io/examples.htmlcookie-based-authentication is used then Jira's rate limits will be bypassed. This can result...

Injection, RCE (Remote Code Execution) in Bamboo

This High severity Injection and RCE Remote Code Execution vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center. This Injection and RCE Remote Code Execution vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions take...

Transition screen removed when project admin edits a transition

h3. Problem The relevant transition screen gets removed when a project admin without Jira Administrator global permission attempts to edit a transition. h3. Environment Jira h3. Steps to Reproduce Create a new project I used Scrum software development template Modify one of the transitions in the...

RCE (Remote Code Execution) in Confluence Data Center & Server

This High severity RCE Remote Code Execution vulnerability known as CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8, allows an authenticated attacker to execute arbitrary code which has high...

RCE (Remote Code Execution) in Confluence Data Center & Server

This High severity RCE Remote Code Execution vulnerability known as CVE-2023-22508 was introduced in version 6.1.0 of Confluence Data Center & Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high...

Upgrade Tomcat to fix CVE-2023-34981

h3. Issue Summary Apache Tomcat should be upgraded to 9.0.75+ or a later version to fix CVE-2023-34981|https://nvd.nist.gov/vuln/detail/CVE-2023-34981 panel:bgColor=e3fcef Bamboo is not vulnerable to this issue as it does not bundle Apache Tomcat 9.0.74 on any of its releases. This is an...

Update Spring-Security used on Bitbucket to fix CVE-2023-20862

h3. Problem All Bitbucket versions, excluding 8.11.x, use Spring Security 5.7.7 or older, leading to Security scans listing Bitbucket as vulnerable to CVE-2023-20862|https://spring.io/security/cve-2023-20862. h3. Environment Any Bitbucket older than version 8.11.0 h3. Steps to Reproduce Check wha...

Page restrictions are not inherited for pages created from Templates

h3. Issue Summary Page restrictions are not inherited to child pages if the child page is created via Templates e.g Meeting notes template. This is reproducible on Data Center: yes h3. Steps to Reproduce Create a page and apply page restriction for some user View and edit restriction Create a chi...

Smart commit action do not respect user permission for Comment actions

h3. Summary When executing a smart commit for adding a comment as per Processing issues with Smart Commits|https://confluence.atlassian.com/jirasoftwareserver0904/processing-issues-with-smart-commits-1188765783.html, it is not failing even if the user does not have permission for the requested...

Apache Tomcat CVE-2023-28709

h3. Issue summary Apache Tomcat should be upgraded to 9.0.74 or a later version to fix CVE-2023-28709|https://nvd.nist.gov/vuln/detail/CVE-2023-28709 h3. Environment Bitbucket 8.10.x and 8.11 h3. Steps to Reproduce Check the Apache Tomcat version on pom.xml h3. Expected Results Bitbucket 8.10 and...

Upgrade Tomcat to fix CVE-2023-28709

h3. Issue summary Apache Tomcat should be upgraded to 8.5.88 and 9.0.74 or a later version to fix CVE-2023-28709|https://nvd.nist.gov/vuln/detail/CVE-2023-28709 h3. Environment Bamboo 8, 9 h3. Steps to Reproduce Check the Apache Tomcat version on pom.xml or /bin/version.sh/bat h3. Expected Result...

Granting the 'Administer Projects' permission to a 'Custom Field' within a permission scheme allows all users to see the Project Settings

h3. Issue Summary This is reproducible on Data Center: yes Granting the Administer Projects permission to a User custom field value results in users having access to the Project Settings area even when the field is not populated. h3. Steps to Reproduce Create a new project with sample data Create...

Export feature adds clear text password to the directories configuration on the zip file - Import fails with "Can't decrypt data"

h3. Problem When exporting a Bamboo configuration, the resulting zip file will contain clear-text passwords on db-export/directories.xml. This introduces a security issue and a broken import with the following error: code:java 2023-05-22 15:18:52,590 INFO main SecretEncryptionServiceImpl Can't...

Upgrade spring-core for CVE-2023-20860

h3. Issue Summary Bitbucket Server/DC includes the following two libraries, which may be vulnerable to CVE-2023-20860|https://vulners.com/cve/CVE-2023-20860: /app/WEB-INF/lib/spring-core-5.3.23.jar /opensearch/plugins/opensearch-sql/spring-core-5.3.22.jar Bitbucket isn't known to be vulnerable, b...

User enumeration security issue when external authentication server is used

h3. Issue Summary This is reproducible on all Atlassian on-prem products that use LDAP or any other external server for authentication. It is possible to find out which usernames exists in the system and which do not exist by studying the response times it takes for a server to process a login...

Confluence System error page is displaying environment details.

h3. Issue Summary Confluence System error page is displaying environment details. This has been fixed as per https://jira.atlassian.com/browse/CONFSERVER-55306 but the issue still persists. This is reproducible on Data Center: yes h3. Steps to Reproduce Create a Confluence instance with version...

Unauthorised users who make multipart requests have this data written to disk momentarily

h3. Issue Summary When a multipart request is made to a Confluence server, the multipart data is usually saved to a temporary directory prior to determining whether a user is authorised to access that URL. This is due to both application and library WebWork/Struts design where permission checks...

A user with read permissions to a Confluence page is able to upload attachments - CVE-2023-22504

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. The affected versions are before version 7.13.17, fro...

Malicious file upload in Jira Server via anonymous sources

Affected versions of Atlassian Jira Server/DC allows an unauthenticated attacker to upload arbitrary files to Jira via file upload functionality in the fileupload url. However An attacker cannot control the filename or its location, which prevents the possibility of RCE. Files with name start...

Upgrade Tomcat for CVE-2023-28708

h3. Issue Summary The version of Tomcat bundled in Jira is affected by CVE-2023-28708|https://nvd.nist.gov/vuln/detail/CVE-2023-28708 as described below: quote When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https...

Upgrade moment library to 2.29.2+ for LTS version as required for CVE-2022-24785 and CVE-2022-31129

Hi, Is it possible to upgrade the moment.js library to 2.29.2 on all LTS version ? It seems fixed in the 9.7.0 as this ticket seems to point https://jira.atlassian.com/browse/JRASERVER-74647 In our 9.4.2 LTS version it is still discovered as a vulnerability. Regards CWATCH team...

Upgrade Postgres for CVE-2022-41946

h3. Issue Summary The version of Postgresql bundled in Bitbucket is affected by CVE-2022-41946|https://nvd.nist.gov/vuln/detail/CVE-2022-41946 as described below: quote pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either...

Upgrade Tomcat for CVE-2023-28708

h3. Issue Summary The version of Tomcat bundled in Bitbucket is affected by CVE-2023-28708|https://nvd.nist.gov/vuln/detail/CVE-2023-28708 as described below: quote When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to...

JavaScript Code with variable containing underscore does not work

h3. Issue Summary JavaScript Code with a variable containing an underscore does not work in Page Template HTML macro 3rd Party Plugin Script Runner h3. Steps to Reproduce Sample code block: code:java $test $test1 $"inputname='variableValues.test'".changefunction console.log$this.val;...

Jira is affected by CVE-2022-42890 &

This affects the Batik library from v1.0 - v1.15 Jira 9.0.0 uses Batik v1.14. More information on vulnerability at: Information Exposure CVE-2022-41704|https://asecurityteam.atlassian.net/browse/VULN-1041609 Remote Code Execution RCE...

Session invalidation should be propagated to other nodes in the cluster

In Jira there are some events like password change, user delete which invalidates user sessions. Currently those events only invalidate sessions on the node where the event was triggered. Those events should be propagated to other nodes...

While performing the custom PDF export for Page/s, breaks page titles with umlaut letters.

h3. Issue Summary While performing the custom PDF export for Page/s, breaks page titles with umlaut letters. Issue is reproducible on Latest LTS 7.19.4 and Latest release 8.1.0 This is reproducible on Data Center: yes h3. Steps to Reproduce Setup the Confluence DC setup. sandbox as separate proce...