Non-administrators can edit the File Replication settings - CVE-2021-41308

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the ReplicationSettings!default.jspa endpoint. The affected versions are before version 8.6.0,...

Reflected XSS /secure/admin/ImporterFinishedPage.jspa via error message - CVE-2021-41304

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from...

Reflected XSS /secure/admin/ImporterFinishedPage.jspa via error message - CVE-2021-41304

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from...

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a...

CVE-2021-23358 - Need to upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary Confluence is currently using underscore.js 1.10.2. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a...

Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References IDOR vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version...

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References IDOR vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version...

Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError

h3. Issue Summary Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError Base Score: 7.5 HIGH bq. The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once th...

Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError

h3. Issue Summary Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError Base Score: 7.5 HIGH bq. The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once th...

Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20....

Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.21....

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

Jira 8.19.X ships with JDK 11.0.11 which is affected by CVE-2021-2388

h3. Issue Summary Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 : https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5 Quote from doc bq. This vulnerability does not apply to Java...

Jira 8.19.X ships with JDK 11.0.11 which is affected by CVE-2021-2388

h3. Issue Summary Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 : https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5 Quote from doc bq. This vulnerability does not apply to Java...

Replaying / intercepting a password reset POST request can allow for valid username enumeration

h3. Issue Summary Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests. h3. Steps to Reproduce Request a password reset email Open the password reset mail and click the link to open your browser Intercept the POST request of the...

Replaying / intercepting a password reset POST request can allow for valid username enumeration

h3. Issue Summary Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests. h3. Steps to Reproduce Request a password reset email Open the password reset mail and click the link to open your browser Intercept the POST request of the...

Jira Service Management / Insight Asset Management vulnerable to RCE Security

Description Insight - Asset Management has a feature to import data from several databases DBs. One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server remote code execution a.k.a. RCE. The H2 DB is bundled with Jira to help speed up...

Jira Service Management / Insight Asset Management vulnerable to RCE Security

Description Insight - Asset Management has a feature to import data from several databases DBs. One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server remote code execution a.k.a. RCE. The H2 DB is bundled with Jira to help speed up...

Anonymous user can view private project and filter names via IDOR in Average Number of Times in Status Gadget - CVE-2021-41305

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References IDOR vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version...

Anonymous user can view private project and filter names via IDOR in Average Number of Times in Status Gadget - CVE-2021-41305

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References IDOR vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version...

Access-revoked user can view audit logs of Jira Projects - CVE-2021-41309

Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The...

Access-revoked user can enable/disable Issue Collectors on a Jira project - CVE-2021-41312

Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors...

Access-revoked user can enable/disable Issue Collectors on a Jira project - CVE-2021-41312

Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors...

Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

Access-revoked user can view audit logs of Jira Projects - CVE-2021-41309

Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The...

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira...

Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira...

Stored XSS on /secure/admin/AssociatedProjectsForCustomField.jspa - CVE-2021-41310

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Associated Projects feature /secure/admin/AssociatedProjectsForCustomField.jspa. The affected versions are before...

Stored XSS on /secure/admin/AssociatedProjectsForCustomField.jspa - CVE-2021-41310

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Associated Projects feature /secure/admin/AssociatedProjectsForCustomField.jspa. The affected versions are before...

XStream upgrade to 1.4.18

h3. Problem XStream is vulnerable to security exploits such as highlighted in the image attached. i The list of CVEs can be found in https://x-stream.github.io/security.html This ticket tracks its upgrade to 1.4.18. h3. Environment Confluence v7.13 h3. Workaround Set...

XStream upgrade to 1.4.18

h3. Problem XStream is vulnerable to security exploits such as highlighted in the image attached. i The list of CVEs can be found in https://x-stream.github.io/security.html This ticket tracks its upgrade to 1.4.18. h3. Environment Confluence v7.13 h3. Workaround Set...

Sending an unauthenticated request to the Synchrony allows writing to the logs

h3. Issue Summary It is possible to write log entries via Synchrony API without authentication. h3. Steps to Reproduce To do this, you have to enter the target URL in Postman:, copy the GET or POST request and send the http request. For all POST requests, you must ensure that the content length...

Sending an unauthenticated request to the Synchrony allows writing to the logs

h3. Issue Summary It is possible to write log entries via Synchrony API without authentication. h3. Steps to Reproduce To do this, you have to enter the target URL in Postman:, copy the GET or POST request and send the http request. For all POST requests, you must ensure that the content length...

Replay attack via the CSRF failure retry form - CVE-2021-39124

The Cross-Site Request Forgery CSRF failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. Affected versions: version 8.16.0 Fixed...

Replay attack via the CSRF failure retry form - CVE-2021-39124

The Cross-Site Request Forgery CSRF failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. Affected versions: version 8.16.0 Fixed...

RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114

A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6,...

Anonymous users can view list of installed gadgets in Confluence

h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit th...

Anonymous users can view list of installed gadgets in Confluence

h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit th...

Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a ServerSide Template Injection vulnerability in the Email Template feature. The affected...

Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a ServerSide Template Injection vulnerability in the Email Template feature. The affected...

Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the GIF Image Reader component. The affected versions are before version 8.13.14, and from version 8.14.0 before 8.19.0. Affected...

Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the GIF Image Reader component. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed versions...

Issue watchers continue receiving updates even after their Jira account is revoked - CVE-2021-39119

h3. Summary Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are...

Issue watchers continue receiving updates even after their Jira account is revoked - CVE-2021-39119

h3. Summary Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are...

User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed...

User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed...