Information disclosure via Synchrony service

Affected versions of Atlassian Confluence Server allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the Synchrony service. This vulnerability was discovered by Rojan Rijal of Tinder Security Engineering. The affected versions are before version...

Information disclosure of names of attachments and labels in a private Confluence space - CVE-2023-22503

Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This vulnerability was reported by Roj...

When Groovy Console Permission level is Only Jira System Admins The Users has Jira Administrator role are not able to add post function except via Run a Groovy script with this transition link

h3. Issue Summary When the permission level is "Only Jira System Admin" and the logged in user has Jira Administrator role, The user is not able to add post function via links except "Run a Groovy script with this transition" link. h3. Steps to Reproduce Login via User who has Jira system admin...

Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

Jira is not impacted no action is required as the vulnerability +cannot be exploited+. All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira +does not use the affected methods from the Spring+, hence +is not impacted+:...

Information Disclosure via QueryCompenentRenderer API

Affected versions of Atlassian Jira Server and Data Centre allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information via Information Disclosure Vulnerability via "/secure/QueryComponentRendererValue!Default.jspa" endpoint. Affected versions: version 9.5.1 Fixed...

HSTS configuration not working in confluence 8.0.2

h3. Issue Summary This is reproducible on Data Center: Yes h3. Steps to Reproduce Configure confluence on SSL Follow KB -...

Critical severity authentication vulnerability - CVE-2023-22501

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled...

Bump jackson-databind dependency to 2.13.4.2

Embedded Crowd library has transitive dependency to vulnerable library code:java com.fasterxml.jackson.core:jackson-databind:jar:2.12.1 - CVE-2020-36518code It is being included through Crowd dependency to com.microsoft.azure:msal4j:jar:1.11.0 The affected versions are before version 5.0.4...

Private key is logged at DEBUG level when accidentally entered into SSH page

When a user uploads their public SSH key, Bitbucket will log the submitted data at DEBUG level if the key is invalid. Unfortunately, if a user mistakenly uploads their private key, this will be logged: noformat username SECO1Qx158x13421x0 3omfyq 123.45.67.89,12.34.56.78 "POST...

Mask Webhook secret Key

While configuring webhooks in bitbucket, we have the option to provide a secret key that is not masked, and hence the plain text secret key is visible in audit logs, kindly mask the secret key Steps to reproduce Configure webhook in Bitbucket server When the hook is created,modified we see the...

Upgrade OpenSearch to 1.3.7 to mitigate CVE-2022-42889

In BSERV-13534 commons-text usages were upgraded in the Bitbucket Webapp to mitigate against CVE-2022-42889 although Bitbucket WebApp was actually unaffected. The bundled OpenSearch should also be updated to 1.3.7 when it is released. The release date is currently scheduled for 13-Dec-2022:...

An Atlassian product has a security vulnerability.

Affected versions of Atlassian Confluence Server allow remote authenticated attackers to view sensitive information in the hidden attachments of custom content on reindexing via an Information Disclosure vulnerability in the search page. The affected versions are before version 7.13.12, from...

Insight JAMF integration - Error when Importing

h3. Issue Summary The Assets - Jamf Integration|https://marketplace.atlassian.com/apps/1219908/assets-jamf-integration?tab=overview&hosting=datacenter plugin supported by Atlassian seems to retrieve an error on the importing process "could not connect to service". h3. Steps to Reproduce The...

Upgrade Apache Commons-text for CVE-2022-42889

h3. DISCLAIMER panel:bgColor=e3fcef ! Crowd IS NOT VULNERABLE to CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889. This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next...

Upgrade Apache Commons-text for CVE-2022-42889

h3. DISCLAIMER panel:bgColor=e3fcef ! Confluence IS NOT VULNERABLE to CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889. This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the nex...

Upgrade Apache Commons-text for CVE-2022-42889

h3. BUG RE-OPENED Jira Service Management 5.4.3 which was supposed to be fixed at 9.4.3 / 5.4.3 is still generating files with common text library of 1.6 version in the /plugins/.osgi-plugins folder. Even after deleting these files, they keep generating them back again in the next restart. Due to...

"Browse Project" permission set to specific values overrides the customer permission that results in the project getting exposed in the customer portal

h3. Steps to Reproduce In JSD project A, set the customer permission as "Who can access the portal and send requests to ?": "Customers my team adds to the project" Confirm that the project has no customers added Access the portal by a customer that has access to customer portal customer that is...

When setting a customer account's password, the potentially different&existing logged in user/session will be used in audit log to record the password change, causing confusion and making it look like a password hijack

h1. Steps to reproduce Consider the following scenario: User A: Invite is sent to [email protected] to join the JSM customer portal. User B is a customer and it is logged into customer portal as [email protected]. In the same browser where User B is logged in, the mailbox of [email protected] is open and ...

Putting a word in quotes and having the > character in the summary allows scripts to execute

h3. Issue Summary If you have a summary with a word in double quotes, similar to "Something" and have the character. Then you can execute actions through tags in the summary This is reproducible on Data Center: Yes h3. Steps to Reproduce This can be reproduced when editing and creating an issue...

Crowd DC Critical Security Misconfiguration Vulnerability - CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the crowd application...

Upgrade Apache Commons-text to mitigate CVE-2022-42889 (excludes bundled OpenSearch)

h3. DISCLAIMER panel:title=Bundled OpenSearch|borderStyle=solid|borderColor=3c78b5|titleBGColor=3c78b5|bgColor=e7f4fa This issues only covers commons-text usages in the Bitbucket WebApp, not the bundled OpenSearch. To track the upgrade of OpenSearch to a version that contains an updated...

Attachments that are added to drafts while collaborative editing is off are searchable when collaborative editing is turned on

h3. Issue Summary This is reproducible on Data Center: yes h3. Steps to Reproduce Turn OFF collaborative editing Create a page Add attachment to the page Do not publish the page Try searching for the draft or attachment Enable Collaborative Editing Perform Reindexing Try searching for the draft o...

Vulnerable version of xmlsec used - CVE-2021-40690 in atlassian-authentication-plugin

Recently we have identified that on top of the libraries mentioned in JRASERVER-73580, there was another libraryatlassian-authentication-plugin that has a transitive dependency of xmlsec that could be related to the vulnerability described in...

Critical severity command injection vulnerability - CVE-2022-43781

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center...

Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970

h3. Issue Summary spring-beans is vulnerable to CVE-2022-22970 This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 7.13.9 Step 2 h3. Expected Results Expect that synchrony-proxy/WEB-INF/lib contains spring-beans-5.3.20.jar or higher h3. Actual Results...

Reset password function leaks information that can be used to harvest accounts

h3. Issue Summary When hitting the resetuserpassword.action URL directly with a username value, it's possible to identify valid users through the responses given by Confluence. The response for a valid user differs from the response for an invalid user. This is an issue as a malicious entity can...

Granting the 'Browse Project Archive' permission to a 'Custom Field' within a permission scheme allows all users to see archived issues in result set

h3. Issue Summary If within a project the 'Browse Project Archive' and 'Browse Project' permissions are granted to 'Group Custom Field' or to the 'Reporter' option within the permission scheme, the project will become available to search for any user with the 'Browse Project Archive' permission i...

jquery 2.2.4 XSS vulnerability

Affected versions of Bitbucket Server and Data Center use a version of jQuery that is vulnerable to CVE-2020-11022 and CVE-2020-11023. These allow an unauthenticated attacker to inject Javascript into the application via Cross-Site Scripting XSS vulnerabilities. A jquery patch has been applied fo...

Template Injection in Email Templates leads to RCE on Jira Service Management Server

Affected versions of Atlassian Jira Service Management Server and Data Center allows JIRA Administrators to execute arbitrary system commands via a template injection in the endpoint /admin/EmailTemplatesSettings!default.jspa. The affected versions are before version 8.13.19, from version 8.14.0...

"Fatal: unsafe repository" error when using Git 2.35.2 or newer

h3. Issue Summary When Fisheye is installed on Windows with Git 2.35.2 or newer versions, new commits and branches in Git are not visible in Fisheye. This issue occurs due to a security update in Git|https://github.blog/2022-04-12-git-security-vulnerability-announced/, as detailed in Error "fatal...

Critical severity command injection vulnerability - CVE-2022-36804

h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary co...

Jira Align - SSRF in ManageJiraConnectors API - CVE-2022-36802

The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a...

User without "Browse Users" permission can view groups - CVE-2022-36800

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. The affected versions are before version 4.22.2. Affected...

SSRF via CSV import into JSM Insight - CVE-2021-43959

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to access the content of internal network resources via a Server-Side Request Forgery SSRF vulnerability in the CSV importing feature of JSM Insight. When running in an environment...

This ticket is to request backporting fix from JRASERVER-73593 into 8.20.x LTS version

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers without permission to view a private project to view the project's issue creation meta information via a Broken Access Control vulnerability in the /issue/createmeta endpoint. The affected LTS version ...

The Mail Handler creates tickets from incoming emails in the wrong projects

The mail handler in Jira Service Management JSM Server and Data Center 4.22.5 incorrectly maps new incoming emails to the wrong JSM project, instead of the project linked to the mailbox the mails were sent to. If JSM is configured to process emails and create tickets in a restricted-access projec...

Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. Affected versions: versi...

The JSM Mail Handler functionality creates tickets from incoming emails in wrong projects

h3. Issue Summary When multiple Jira Service Management JSM projects are configured with a Mail Handler|https://confluence.atlassian.com/servicemanagementserver/receiving-requests-by-email-939926303.html via Project Settings Email Requests, the following issue happens: - the JSM Mail Handler...

Questions For Confluence App - Hardcoded Password

i Update: This advisory has been updated since its original publication. 2022/08/01 12:00 PM PDT Pacific Time, -7 hours color:172b4dUpdated the Remediation section to note that if the disabledsystemuser account is manually deleted, the app must also be updated or uninstalled to ensure the account...

Confluence Apache Tomcat CVE-2022-34305

This is reproducible on Data Center: yes The current version of Tomcat 9.0.63 is bundled with Confluence 7.18.2 and Confluence 7.13.8 are vulnerable to CVE-2022-34305 https://vulners.com/cve/CVE-2022-34305 h3. Steps to Reproduce - h3. Expected Results - h3. Actual Results - h3. Workaround Manuall...

Crowd: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Crowd Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Bitbucket: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Bitbucket Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Crucible: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Crucible. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Fisheye: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Fisheye. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Bamboo: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Bamboo Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Confluence: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Confluence Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

JSM: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Jira Service Management Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Update Log4j to 1.2.17-atlassian-16 to fix CVE-2022-23305, CVE-2022-23307, CVE-2020-9493, CVE-2022-23302

Crucible in version 4.8.9 and older uses a log4j library that has the following vulnerabilities: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 / CVE-2020-9493 Crucible 4.8.10 uses a custom-built log4j, which has the above vulnerabilities fixed...

Update Log4j to 1.2.17-atlassian-16 to fix CVE-2022-23305, CVE-2022-23307, CVE-2020-9493, CVE-2022-23302

Fisheye in version 4.8.9 and older uses a log4j library that has the following vulnerabilities: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 / CVE-2020-9493 Fisheye 4.8.10 uses a custom-built log4j, which has the above vulnerabilities fixed...

Workbox: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Workbox host plugin in Confluence is currently using underscore.js 1.3.1. This is old enough to not be vulnerable to CVE-2021-23358, but it should be using the version provided by Confluence, not its own The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and...