Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

Upgrade Tomcat to 8.0.36 or later

Current version of Tomcat 8.0.33 is vulernable to http://www.cvedetails.com/cve/CVE-2016-3092/ We need to upgrade the version we package with JIRA to address that vulnerability...

SourceTree 7za Vulnerability.

SourceTree Version 1.8.3 installs a 7za.exe C:\Program Files x86\Atlassian\SourceTree\tools\7za.exe in Version 9.20, which has known vulnerabilities: CVE-2016-2334 CVE-2016-2335 More information about the vulnerabilities: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html...

SourceTree 7za Vulnerability.

SourceTree Version 1.8.3 installs a 7za.exe C:\Program Files x86\Atlassian\SourceTree\tools\7za.exe in Version 9.20, which has known vulnerabilities: CVE-2016-2334 CVE-2016-2335 More information about the vulnerabilities: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html...

XSS in newFileName Field

From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...

XSS in newFileName Field

From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...

XSS in newFileName Field

From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...

CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent. Affected versions: All versions of Bamboo...

CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent. Affected versions: All versions of Bamboo...

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

When JIRA project has a security scheme, the option "None" is not displayed in Crucible

h3. Summary Whenever a JIRA project has a Security Scheme defined, and a workflow transition has at least one required field, a window is opened in JIRA side so that the required field/s are selected. Among the fields displayed in this window there will be the "Security Level", in which the...

When JIRA project has a security scheme, the option "None" is not displayed in Crucible

h3. Summary Whenever a JIRA project has a Security Scheme defined, and a workflow transition has at least one required field, a window is opened in JIRA side so that the required field/s are selected. Among the fields displayed in this window there will be the "Security Level", in which the...

bitbucket attempted security breach

Bitbucket https://bitbucket.org/socialauth/migrate/?next=/ is asking for my atlassian password. Asking for a password for another website is at best bad practice...

bitbucket attempted security breach

Bitbucket https://bitbucket.org/socialauth/migrate/?next=/ is asking for my atlassian password. Asking for a password for another website is at best bad practice...

bitbucket attempted security breach

Bitbucket https://bitbucket.org/socialauth/migrate/?next=/ is asking for my atlassian password. Asking for a password for another website is at best bad practice...

Adding a group as a reviewer fails when the group id contains special characters because is not encoded

h3. Summary Groups containing special characters e.g. or / cannot be added as Reviewers. h3. Steps to Reproduce Create a group with a special character in it in an external user directory e.g. JIRA or LDAP Synchronize the group to FishEye Add the groups as a reviewer to a review h3. Expected...

Adding a group as a reviewer fails when the group id contains special characters because is not encoded

h3. Summary Groups containing special characters e.g. or / cannot be added as Reviewers. h3. Steps to Reproduce Create a group with a special character in it in an external user directory e.g. JIRA or LDAP Synchronize the group to FishEye Add the groups as a reviewer to a review h3. Expected...

group normalisation from 4.0 upgrade tasks is breaking permissions

Group normalisation from 4.0 upgrade tasks is breaking permissions. Scenario: backup created for 3.1.7 instance, repo "repo-uppercase-access" configured with "GROUP-A" can read access backup file restored on 4.1 instance, I can see following messages in the upgrade log code$ grep -i renam...

group normalisation from 4.0 upgrade tasks is breaking permissions

Group normalisation from 4.0 upgrade tasks is breaking permissions. Scenario: backup created for 3.1.7 instance, repo "repo-uppercase-access" configured with "GROUP-A" can read access backup file restored on 4.1 instance, I can see following messages in the upgrade log code$ grep -i renam...

CVE-2016-4321: XSS in moving User Repos

There was a XSS, which required user interaction, when moving user repositories...

CVE-2016-4321: XSS in moving User Repos

There was a XSS, which required user interaction, when moving user repositories...

JIRA puts a user's XSRF token in various resources.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61250. panel h5. Steps to Reproduce: Log into JIRA Log out from JIRA h5. Expected Results: The URL shown in the address bar does not show the...

JIRA puts a user's XSRF token in various resources.

h5.Steps to Reproduce: Log into JIRA Log out from JIRA h5.Expected Results: The URL shown in the address bar does not show the atltoken value h5.Actual Results: The URL shown in the address bar shows the atltoken value h5.Impact After checking with the security teams, this appears to be a low ris...

JIRA puts a user's XSRF token in various resources.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61250. panel h5. Steps to Reproduce: Log into JIRA Log out from JIRA h5. Expected Results: The URL shown in the address bar does not show the...

JIRA puts a user's XSRF token in various resources.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-61250. panel h5.Steps to Reproduce: Log into JIRA Log out from JIRA h5.Expected Results: The URL shown in the address bar does not show the...

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

The "Restrict to articles with labels" option doesn't restrict the customer portal from suggesting KB's other than those with the nominated Label

h3. Summary Currently we have the "Restrict to articles with labels", where you can specify the label for a request. When a customer is filling the summary for a request, SD will search the knowledge base for similar content from confluence pages with that label. However, the customer portal sear...

The "Restrict to articles with labels" option doesn't restrict the customer portal from suggesting KB's other than those with the nominated Label

h3. Summary Currently we have the "Restrict to articles with labels", where you can specify the label for a request. When a customer is filling the summary for a request, SD will search the knowledge base for similar content from confluence pages with that label. However, the customer portal sear...

Cannot sign commits and tags for Git Flow

The Git Flow actions do not have an option to sign off commits and tags. Unlike a commit or tag created manually, there is no Sign tag option. See attachment for reference to Add Tag feature that has the Sign tag option...

Cannot sign commits and tags for Git Flow

The Git Flow actions do not have an option to sign off commits and tags. Unlike a commit or tag created manually, there is no Sign tag option. See attachment for reference to Add Tag feature that has the Sign tag option...

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

Permission issues with projects and reviews

There are 2 issues related to permission schema. They were grouped together into a single issue, marked with a security label. h4. Issue 1 User visited in the past Project A. Also he has visited a review raised in Project A. FeCru allows him to access those recent items using the menu on top...

Permission issues with projects and reviews

There are 2 issues related to permission schema. They were grouped together into a single issue, marked with a security label. h4. Issue 1 User visited in the past Project A. Also he has visited a review raised in Project A. FeCru allows him to access those recent items using the menu on top...

Drop support Windows Quicktime plugin from Confluence multimedia plugin

The US Govt is recommending users should uninstall Quicktime for Windows http://krebsonsecurity.com/2016/04/us-cert-to-windows-users-dump-apple-quicktime/ In order to assist users transition we need to drop support for Quicktime plugin from Multimedia plugins and use the "video" tag instead...

Drop support Windows Quicktime plugin from Confluence multimedia plugin

The US Govt is recommending users should uninstall Quicktime for Windows http://krebsonsecurity.com/2016/04/us-cert-to-windows-users-dump-apple-quicktime/ In order to assist users transition we need to drop support for Quicktime plugin from Multimedia plugins and use the "video" tag instead...

Stored XSS in ViewWorkflowTransition.jsp

Step to reproduce: 1 Go to workflow edit page as an administrator 2 Add validator "User Permission Validator" to transition with user name parameter "alert2" 3 It will trigger xss on ViewWorkflowTransition page...