Mobile web: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary The mobile web view in Confluence is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template functio...

Notifications: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Atlassian Notifications is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function,...

UPM: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary UPM is currently using underscore.js 1.4.4. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variabl...

Apache Tomcat CVE-2022-34305

h3. Issue Summary This is reproducible on Data Center: yes The current version of Tomcat 8.5.72 bundled with JIRA 8.22 and Tomcat 9.0.61 bundled with Jira 9 are vulnerable to CVE-2022-34305 https://vulners.com/cve/CVE-2022-34305 h3. Steps to Reproduce -- h3. Expected Results -- h3. Actual Results...

REST API falsely updates Project Category without necessary permissions

panel:bgColor=e7f4fa NOTE: This is for JIRA Server and JIRA Data Center . panel h3. Issue Summary A User with Project Administrator permissions is able to update the Project Category via REST API. But in the Jira UI only a Jira Administrator is allowed to update the Project Category. h3. Steps to...

Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user including a user who joined via the sign-up feature to perform a full read server-side request forgery via a batch endpoint. This affects Jira Management Server and Data Center versions from versi...

Rest API Endpoint Leaked Project Categories, Project categories, status categories, issue link types, priorities, and resolutions to Unauthorised users

Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints: /rest/api/2/issueLinkType...

DoS (Denial of Service) in Crowd Data Center and Crowd Server - CVE-2022-29885

h2. Summary of Vulnerability This critical severity DoS Denial of Service vulnerability known as CVE-2022-29885 was introduced in version 4.0.0 of Crowd Data Center and Crowd Server. h2. Affected Versions ||Product||Affected Versions|| |Crowd Data Center Crowd Server|- 4.0.0 - 5.0.0| h2. Fixed...

Jira: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Jira Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

Upgrade Tomcat to mitigate CVE-2022-29885

h3. Issue summary Apache Tomcat should be upgraded to 8.5.79 or a superior version to fix CVE-2022-29885|https://nvd.nist.gov/vuln/detail/CVE-2022-29885 h3. Environment Bamboo 7, 8 h3. Steps to Reproduce Check tomcat version on pom.xml or /bin/version.sh/bat h3. Expected Results apache-tomcat...

Jira: Multiple vulnerabilities in log4j < 1.2.17-atlassian-16

The version of log4j used by Jira has been updated from version 1.2.17-atlassian-3 to 1.2.17-atlassian-16 to address the following vulnerabilities: CVE-2021-4104|https://vulners.com/cve/CVE-2021-4104 JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update t...

RCE in Confluence DataCenter via HazelCast(Confluence) Port

Summary A remote attacker who can connect to the Hazelcast service, running on port 5801 and potentially 5701, is able to execute arbitrary code on all the nodes in a Confluence Data Center through Java deserialization. Vulnerability Details Confluence Data Center uses the third-party software...

Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7,...

Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate

This is a duplicate of https://jira.atlassian.com/browse/CONFSERVER-79016 See the link above for more information on the issue...

Confluence: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

The version of log4j used by Confluence has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is bundled with...

Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user including a user who joined via the sign-up feature to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0...

Crowd: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

The version of log4j used by Crowd has been updated from version 1.2.7-atlassian-3 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2021-4104|https://vulners.com/cve/CVE-2021-4104 JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update th...

IDOR (Insecure direct object references) in Jira 8.13.10

We have found during testing that by sending a fake header with a domain name supplying as a suffix i.e. attack.eu into the Host header field, the web server processes the input to send the request to an attacker-controlled host that resides at the supplied domain, and not to an internal virtual...

A vulnerable version of Apache Tomcat was used in Jira Server (CVE-2020-9484, CVE-2022-23181)

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-9484 and CVE-2022-23181. The affected versions of Jira Server and Data Center are before version 8.13.20, from version 8.14.0 before 8.20.8, from version 8.21.0 before 8.22.2...

Reflected XSS on /secure/TeamManagement.jspa via "planUrl" parameter - CVE-2022-36801

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting RXSS vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8. Affected versions:...

Vulnerable version of PostgresSQL JDBC driver used - CVE-2022-21724

Affected versions of Atlassian Jira Server and Data Center used versions of the PostgresSQL JDBC driver that were vulnerable to CVE-2022-21724. The affected versions of Atlassian Jira Server and Data Center are before version 8.22.2. Affected versions: version 8.22.2 Fixed versions: 8.22.2 and...

Update Log4J to 1.2.17-atlassian-16 to fix CVE-2022-23305, CVE-2022-23307, CVE-2020-9493, CVE-2022-23302

CVE-2022-23305 Customers that have JDBCAppender configured may be vulnerable to SQL Injection attacks Change Summary: Removed JDBCAppender thus no longer allowing customers to use. CVE-2022-23307 / CVE-2020-9493 Unsafe deserialization issue present in Apache Chainsaw that was bundled in log4j1...

Bamboo remote agent: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16

The version of log4j used by the Bamboo remote agent has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is...

Bamboo: Multiple vulnerabilities in log4j < 1.2.17-atlassian-16

The version of log4j bundled with Bamboo has been updated from version 1.2.7-atlassian-15 to 1.2.7-atlassian-16 to address the following vulnerabilities: CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493 and CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307 Apache Chainsaw is bundled with...

Bitbucket displays sensitive DB details in error message in browser

h3. Issue Summary On application startup, if the database is down the Bitbucket application displays the sensitive database hostname & port details in the error message in browser. Error Message: noformat The database, as currently configured, is not accessible. Connection to : refused. Check tha...

Confluence Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2016-10750

h3. Vulnerability Details Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks CVE-2016-10750|https://vulners.com/cve/CVE-2016-10750. Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote,...

Vulnerability in LESS Transformer Plugin used by Bitbucket

h3. Issue Summary As of Bitbucket 7.21 the LESS Transformer Plugin shipped is version 4.0.0. Unfortunately it has a dependency on commons-codec version 1.4 which has a number of security vulnerabilities. eg.commons-codec:commons-codec / 1.4 Apache Commons Codec...

Authentication Bypass in Jira Seraph - CVE-2022-0540

i Updates 2022/05/05 11:30 AM PDT Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available: Secure Code Warrior® for Jira Simple Tasklists Simple Team Pages for Jira UiPath Test Manager for Jira Xporter - Export issues from...

Authentication Bypass in Jira Seraph - CVE-2022-0540

i Updates 2022/05/05 11:30 AM PDT Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available: Secure Code Warrior® for Jira Simple Tasklists Simple Team Pages for Jira UiPath Test Manager for Jira Xporter - Export issues from...

Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

Update: 2022/04/08 23:00 UTC Coordinated Universal Time, +0 hours Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket Note the new CVE assignment does not change any other information in this advisory...

Admin user can download audit logs without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to download audit logs, via a Broken Access Control vulnerability in the /auditing/export/download endpoint...

Admin user can change Base URL without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to change the Base URL of a Jira instance via a Broken Access Control vulnerability in the /rest/api/2/settings/baseUrl endpoint. The affected...

Admin user can toggle JMX monitoring without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow attackers with administrator privileges to bypass WebSudo validation in order to toggle JMX monitoring, via a Broken Access Control vulnerability in the JmxMonitoringAction.jspa endpoint. The affected versions are before version...

A user can view the "createmeta" information of private projects

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers without permission to view a private project to view the project's issue creation meta information via a Broken Access Control vulnerability in the /issue/createmeta endpoint. The affected versions are...

Admin user can change Portfolio Plugin hierarchy without WebSudo validation

Affected versions of Atlassian Jira Server and Data Centre allow remote attackers to modify the hierarchy structure of the Portfolio Plugin via a Broken Access Control vulnerability in the hierarchy configuration component. The affected versions are before version 8.20.4, and from version 8.21.0...

REST API Endpoint Leaked private project to unauthorized user

Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint. Affecte...

Vulnerable version of xmlsec used - CVE-2021-40690

Affected versions of Atlassian Jira Server and Data Center used versions of xmlsec that were vulnerable to CVE-2021-40690. Affected versions: version 8.22.2 Workaround: version 8.22.2 LTS versions 8.13 and versions up to 8.20.14 should also apply this workaround. This is permanently fixed in...

Jira Software Server Template RCE via Email Templates feature

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Software Server and Data Center allow a system administrator to execute arbitrary code via a remote code execution in the...

Template Injection in Email Templates - bypass of mitigation via XStream - CVE-2022-36799

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Templat...

Jira does not invalidate session after a password change

When a user changes their username via the UI the session cookie is not invalidated. For security purposes, all sessions should be invalidated and require the user to sign back in with the new password...

Tomcat versions bundled with the Crowd product are vulnerable to CVE-2021-33037

The different Tomcat versions 8.5.X bundled to the Atlassian Crowd product versions lower than Crowd 4.4.1 are vulnerable to CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037 The Tomcat versions from 8.5.0 to 8.5.66 are affected by the mentioned...

CVE-2021-43955: /rest-service-fecru/server-v1 leaks information about installation directories

The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. Affected versions: version 4.8.9 Fixed versions: 4.8.9...

CVE-2021-43955: /rest-service-fecru/server-v1 leaks information about installation directories

The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. Affected versions: version 4.8.9 Fixed versions: 4.8.9...

CVE-2021-43956: Javascript Prototype Pollution in the jQuery deserialize library

The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. Affected versions: version 4.8.9 Fixed versions: 4.8.9...

CVE-2021-43956: Javascript Prototype Pollution in the jQuery deserialize library

The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. Affected versions: version 4.8.9 Fixed versions: 4.8.9...

Update atlassian-gadgets to 4.2.41 to fix information leak

The atlassian-gadgets library bundled in Crucible allowed an information leak about installed plugins to anonymous users...

Update atlassian-gadgets to 4.2.41 to fix information leak

The atlassian-gadgets library bundled in Fisheye allowed information leak about installed plugins to anonymous users...

Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104

Log4J version 1.2.17-atlassian-3 used in Fisheye and Crucible is vulnerable to CVE-2021-4104. The JMSAppender in Log4J 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4J configuration. Note this issue only affects Log4J 1.2 when specifically...

CVE-2021-43957: Bypass for CVE-2020-29446 (Local file disclosure / path traversal within WEB-INF)

Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References IDOR vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9...

CVE-2021-43957: Bypass for CVE-2020-29446 (Local file disclosure / path traversal within WEB-INF)

Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References IDOR vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9...