4195 matches found
Stored XSS in ViewWorkflowTransition.jsp
Step to reproduce: 1 Go to workflow edit page as an administrator 2 Add validator "User Permission Validator" to transition with user name parameter "alert2" 3 It will trigger xss on ViewWorkflowTransition page...
Security Issue with multimedia playback on Mac OSX
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-41124. panel Currently your multimedia playback method uses an older and insecure method. I had to reinstate old plugins to make...
Security Issue with multimedia playback on Mac OSX
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-41124. panel Currently your multimedia playback method uses an older and insecure method. I had to reinstate old plugins to mak...
Security Issue with multimedia playback on Mac OSX
Currently your multimedia playback method uses an older and insecure method. I had to reinstate old plugins to make it work, and I would like to be able to disable these plugins as soon as possible. Can you please update your code for this as outlined here: https://support.apple.com/en-au/HT20508...
Two factor Authentication
As a company IT administrator of our company I want that all users authenticate to bamboo in two steps username password & app or sms. So that I'm always sure that a employee of our company logs in bamboo instead of a hacker. This makes even my infrastructure more secure...
Enabling SSL Broker for Remote Agents breaks Elastic Agent connectivity
h3. Summary When enabling SSL connectivity for remote agents by changing the Broker URL and Broker Client URL protocols from tcp:// to ssl://, elastic agents are no longer able to connect h3. Steps to Reproduce Start an Elastic Agent and run a test build to confirm Elastic Agents are connecting...
Enabling SSL Broker for Remote Agents breaks Elastic Agent connectivity
h3. Summary When enabling SSL connectivity for remote agents by changing the Broker URL and Broker Client URL protocols from tcp:// to ssl://, elastic agents are no longer able to connect h3. Steps to Reproduce Start an Elastic Agent and run a test build to confirm Elastic Agents are connecting...
Responses with Set-Cookie header cached
h3. Context We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get the Crowd...
Responses with Set-Cookie header cached
h3. Context We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get the Crowd...
Responses with Set-Cookie header cached
h3. Context We have Confluence running with SSO from Crowd. Confluence is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get...
Responses with Set-Cookie header cached
h3. Context We have Confluence running with SSO from Crowd. Confluence is behind a corporate reverse proxy from BlueCoat which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers. h3. Problem We have discovered following cases of sessions mix up where a user \1 get...
As an administrator I want to be able to configure whether XSS protection should apply to requirements or not
h3. Problem Definition For XSS protection, certain "dangerous" characters are not allowed for input in many fields in Bamboo, including for requirements. One such character is the ampersand &, which can be used for logical AND expressions such as "a && b" for "a AND b". At the moment, because XSS...
JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...
JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...
Upgrade Tomcat to the latest 8.0.x release
h3. Summary We are currently on 8.0.17 and have already been bitten by a bug in it: https://bz.apache.org/bugzilla/showbug.cgi?id=57476 We should upgrade to the latest to get the latest bugfixes. Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager...
Upgrade Tomcat to the latest 8.0.x release
h3. Summary We are currently on 8.0.17 and have already been bitten by a bug in it: https://bz.apache.org/bugzilla/showbug.cgi?id=57476 We should upgrade to the latest to get the latest bugfixes. Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager...
Upgrade Tomcat to the latest 8.0.x release
h3. Summary We are currently on 8.0.17 and have already been bitten by a bug in it: https://bz.apache.org/bugzilla/showbug.cgi?id=57476 We should upgrade to the latest to get the latest bugfixes. Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager...
Project Administrators can adjust permission schemes without having the permission
h3. Summary When alterations to a permission scheme of a Service Desk projects have been made, the project administration page can display an error message as described on the following page: https://confluence.atlassian.com/servicedesk/resolving-permission-scheme-errors-660967497.html In order t...
Project Administrators can adjust permission schemes without having the permission
h3. Summary When alterations to a permission scheme of a Service Desk projects have been made, the project administration page can display an error message as described on the following page: https://confluence.atlassian.com/servicedesk/resolving-permission-scheme-errors-660967497.html In order t...
Project Administrators can adjust permission schemes without having the permission
h3. Summary When alterations to a permission scheme of a Service Desk projects have been made, the project administration page can display an error message as described on the following page: https://confluence.atlassian.com/servicedesk/resolving-permission-scheme-errors-660967497.html In order t...
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
Update Java version bundled found in the installer to a version >= 1.8u71
Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...
Update Java version bundled found in the installer to a version >= 1.8u71
Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...
Update Java version bundled found in the installer to a version >= 1.8u71
Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...
Update Java version bundled found in the installer to a version >= 1.8u71
Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...
Update Java version bundled found in the installer to a version >= 1.8u71
Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...
Update Java version bundled found in the installer to a version >= 1.8u71
Update the bundled version of java to a version = 1.8u71 1.8 update 71, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlAppendixJAVA. Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the...
Windows 4.0 prompted "Untrusted Certificate" error in Rooms
h3. Summary When accessing specific rooms with URL from an untrusted website, the error message "Untrusted Certificate" appears, prompt if you want to trust the certificate and continue. !Screen Shot 2016-01-22 at 10.28.08 AM.png|thumbnail! h3. Environment Windows h3. Actual Results The following...
Customer can see Internal Comment created by Automation Action
h5. Environment - run JIRA from atlas-debug - JIRA 7.0.5 - JIRA Service Desk 3.0.5 h5. Steps to reproduce Create Service Desk project go to Administration - Automation tab click New rule - Custom rule add Trigger Issue Created add Action Add comment put some Comment text and select Internal as...
Customer can see Internal Comment created by Automation Action
h5. Environment - run JIRA from atlas-debug - JIRA 7.0.5 - JIRA Service Desk 3.0.5 h5. Steps to reproduce Create Service Desk project go to Administration - Automation tab click New rule - Custom rule add Trigger Issue Created add Action Add comment put some Comment text and select Internal as...
Customer can see Internal Comment created by Automation Action
h5. Environment - run JIRA from atlas-debug - JIRA 7.0.5 - JIRA Service Desk 3.0.5 h5. Steps to reproduce Create Service Desk project go to Administration - Automation tab click New rule - Custom rule add Trigger Issue Created add Action Add comment put some Comment text and select Internal as...
CVE-2015-8361: Services exposed without authentication Vulnerability
Bamboo exposed services without first performing authentication checks. Attackers can use this vulnerability to extract confidential information from Bamboo, modify certain settings and manage build agents. To exploit this issue, attackers need to be able to access the Bamboo JMS port. Affected...
CVE-2015-8361: Services exposed without authentication Vulnerability
Bamboo exposed services without first performing authentication checks. Attackers can use this vulnerability to extract confidential information from Bamboo, modify certain settings and manage build agents. To exploit this issue, attackers need to be able to access the Bamboo JMS port. Affected...
CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability
Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port port 5466...
CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability
Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port port 5466...
CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability
Bamboo used an old version of the Smack XMPP library that deserialises messages received from XMPP. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo if a XMPP connection has been configured. To exploit this issue, Bamboo...
CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability
Bamboo used an old version of the Smack XMPP library that deserialises messages received from XMPP. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo if a XMPP connection has been configured. To exploit this issue, Bamboo...
Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances
Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...
Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances
Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...
Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances
Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...
Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances
Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...
One Crucible admin can get access to repository password provided by another admin
It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...
One Crucible admin can get access to repository password provided by another admin
It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...