CVE-2021-43958: Various rest resources missing CAPTCHA for failed user login attempts

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials...

CVE-2021-43958: Various rest resources missing CAPTCHA for failed user login attempts

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials...

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

Source configuration information leakage in API response

Affected versions of Atlassian Jira Service Management Server and Data Center allow an unauthorised user to view source configuration information via information disclosure in the endpoint /rest/insight/1.0/progress/category/imports/. Affected versions: 4.19.0 Fixed versions: 4.20.6...

Denial of service attacks due to use of vulnerable version of apache-commons-compress package

Affected versions of Atlassian Jira Service Server and Data Center allow an unauthenticated attacker to perform a denial of service attack against services that use the apache-commons-compress package. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.6, from versi...

Leaked admin credentials via Insight object import

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated users to see admin credentials via an information disclosure vulnerability in the \BaseUrl/rest/insight/1.0/import/module/test/rlabs-import-type-json?objectSchemaId= endpoint. The affected versions a...

Update Tomcat to version 8.5.75 to address CVE-2020-9484/CVE-2022-23181

h3. Issue Summary Update Tomcat to version 8.5.75 to address CVE-2020-9484/CVE-2022-23181. More information can be found here: https://nvd.nist.gov/vuln/detail/CVE-2022-23181 Taken from the page above: quote h3. CVE-2022-23181 Detail Current Description The fix for bug CVE-2020-9484 introduced a...

Tomcat should not disclose its own version to unauthenticated users

h3. Problem Definition When accessing URLs that aren't under the application context and are not defined in Tomcat, Tomcat returns a 404 along with its own version. h4. +Steps to reproduce problem+ In a Jira instance with a context called jira for instance, browse http:///nonexistenturi. Make sur...

Browsing /jira/rest/api/2/user/picker as an unauthenticated user should return 401

h3. Issue Summary Browsing /jira/rest/api/2/user/picker?query=username as unauthenticated always returns 404, along with the following message: code:java "errorMessages":"The user named '0' does not exist","errors": code h3. Steps to Reproduce Open an browser private window Browse...

Upgrade Moment.js to 2.22.1+ as required for CVE-2017-18214, CVE-2016-4055

Affected versions of Atlassian Jira Server and Data Center used versions of Moment.js that were vulnerable to CVE-2017-18214 and CVE-2016-4055. The affected versions of Atlassian Jira Server and Data Center are before version 8.22.0. Affected versions: version 8.22.0 Fixed versions: 9.3.1/9.4.0...

Upgrade Tomcat to version 8.5.75 - CVE-2020-9484/CVE-2022-23181

The latest version of Tomcat bundled in Jira 8.21 is 8.5.72. Vulnerability is referenced in the fixedinapachetomcat8.5.75security-8 advisory. panel CVE-2020-9484 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a an attacker is...

Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104

Log4J version 1.2.17-atlassian-3 used in Fisheye and Crucible is vulnerable to CVE-2021-4104. The JMSAppender in Log4J 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4J configuration. Note this issue only affects Log4J 1.2 when specifically...

[BUG] Unauthenticated issues enumeration through API

I detected that in JIRA onprem with API REST exposed an attacker that knows or discover the name of a project can enumerate the issues that exists related to the project. All of this without logged in on JIRA or any credentials. The response of the server changes when the issue exists on the...

Request smuggling via a vulnerable version of Apache Tomcat - CVE-2021-33037

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to request smuggling via CVE-2021-33037. The affected versions of Atlassian Jira Server and Data Center are before version 8.21.0. Affected versions: version 8.21.0 Fixed versions: 8.21....

CSRF allows toggling Thread Contention and CPU Monitoring - CVE-2021-43953

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery CSRF vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are befor...

Default field configuration can be restored via CSRF - CVE-2021-43952

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery CSRF vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. This bug is currently fixed on Jira 8.21.0. Non LT...

Object import configuration details are leaked via the Create Object type mapping feature - CVE-2021-43951

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view object import configuration details via an Information Disclosure vulnerability in the Create Object type mapping feature. The affected versions are before version 4.21.0...

Import source configuration information is leaked via the Insight Import Source feature - CVE-2021-43950

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature. The affected versions are before version 4.21.0...

An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are before version 4.21.0. Affected versions: version 4.21.0 Fix...

Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature. The affected versions are before version 4.21.0. Affected versions:...

Stored XSS in "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa - CVE-2021-43943

Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The...

Upgrade Logback for CVE-2021-42550

h3. Issue Summary In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9. Please note: There is no RCE in Logback, and there is no vulnerabili...

Upgrade Logback for CVE-2021-42550

h3. Issue Summary In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9. Please note: There is no RCE in Logback, and there is no vulnerabili...

jira-importers-plugin has misconfigured XSRF protection - CVE-2021-43941

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa via a Cross-Site Request Forgery CSRF vulnerability in the jira-importers-plugin. The affected versions are before...

Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter - CVE-2021-43945

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting SXSS vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are...

Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-43944

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator permissions to execute arbitrary code via Template Injecti...

Unauthorized user can add administrator groups to filter subscriptions - CVE-2021-43946

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from...

Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting XSS vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting...

Email Template Injection to RCE - CVE-2021-43947

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution RCE vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665...

Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting XSS vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting...

Denial of service via an OutOfMemoryError (Tomcat CVE-2021-42340)

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to impact the application's availability via CVE-2021-42340, a Denial of Service DoS vulnerability in Apache Tomcat. The affected versions of Atlassian Jira Server and Data Center are before version 8.21.0...

Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary Unauthorized access to data from the following API even if the public.access.disabled is enabled. /rest/api/2/projectCategory /rest/api/2/resolution /rest/menu/latest/admin h3. Steps to Reproduce - Install Jira 8.13.9 with H2 database - Create a project and some Project categori...

Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary Unauthorized access to data from the following API even if the public.access.disabled is enabled. /rest/api/2/projectCategory /rest/api/2/resolution /rest/menu/latest/admin h3. Steps to Reproduce - Install Jira 8.13.9 with H2 database - Create a project and some Project categori...

A User with no permission to view a Jira issue can see its summary in the "Connected Jira Issues" in the object's view

h3. Issue Summary The "Connected Jira Issues" tab in the Insight Object view does not respect the level of permission provided to the logged in user and displays all connected issues even if that user doesn't have the permission to view them. h3. Steps to Reproduce Create a Jira issue linked to a...

Unicode characters allow malicious code to be hidden from a human reviewer (Bamboo) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bamboo where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or cod...

Unicode characters allow malicious code to be hidden from a human reviewer (Bamboo) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bamboo where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or cod...

Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13

h3. Issue Summary Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13...

Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13

h3. Issue Summary Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13...

Unicode characters allow malicious code to be hidden from a human reviewer (Fisheye & Crucible) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Fisheye and Crucible where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

Unicode characters allow malicious code to be hidden from a human reviewer (Fisheye & Crucible) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Fisheye and Crucible where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC and Insight Asset Management app where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These specia...

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC and Insight Asset Management app where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These specia...

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

Unicode characters allow malicious code to be hidden from a human reviewer (Confluence Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Confluence Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by th...

Unicode characters allow malicious code to be hidden from a human reviewer (Confluence Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Confluence Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by th...

Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

Non-administrators can edit the File Replication settings - CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...