One FishEye admin can get access to repository password provided by another admin

It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...

One FishEye admin can get access to repository password provided by another admin

It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...

Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

Crowd is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issue can be...

Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

Crowd is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issue can be...

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

User Picker Custom field HTML tags showing when creating new issues

h3. Summary Customer reported that when creating custom field User Picker and added html tags in description field, text link shows correctly in Custom Field screen under Administration Setting. However when creating new issues, the create issue form for User Picker field shows the HTML code not...

User Picker Custom field HTML tags showing when creating new issues

h3. Summary Customer reported that when creating custom field User Picker and added html tags in description field, text link shows correctly in Custom Field screen under Administration Setting. However when creating new issues, the create issue form for User Picker field shows the HTML code not...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

Upgrade to version 3.2.2 of apache commons-collections

quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...

It is possible to access the list of patches in a review and their content by unprivileged users

We've discovered and fixed a security issue, where the attacker could using the REST API: access the list of patches in a review their filename, database id upload date and anchor details without authentication access the patch content for any review as long as he had view access to any other...

It is possible to access the list of patches in a review and their content by unprivileged users

We've discovered and fixed a security issue, where the attacker could using the REST API: access the list of patches in a review their filename, database id upload date and anchor details without authentication access the patch content for any review as long as he had view access to any other...

Log forging vulnerability

It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character. For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged: code 2015-03-24 09:59:09,564 INFO qtp1610928748-315 fishe...

Log forging vulnerability

It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character. For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged: code 2015-03-24 09:59:09,564 INFO qtp1610928748-315 fishe...

Check CSRF security in watch/unwatch action

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-39719. panel Check CSRF security in watch/unwatch action...

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

XSRF check failure when trying to add a logo to a topic

h3. Steps to reproduce Create a topic in Confluence Questions. Select an image as a logo. Click Done. h3. Expected results The topic is created with the chosen logo. h3. Actual results The topic is created, but with the default tag logo. h3. Notes The same thing occurs when trying to add a logo t...

XSRF check failure when trying to add a logo to a topic

h3. Steps to reproduce Create a topic in Confluence Questions. Select an image as a logo. Click Done. h3. Expected results The topic is created with the chosen logo. h3. Actual results The topic is created, but with the default tag logo. h3. Notes The same thing occurs when trying to add a logo t...

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

Bad performance noticed on issues with long history

Performing some testing with JIRA 6.4.5, I've noticed that there is a huge difference when logging work on an issue with no history and on an issue with a long history. I enabled Profiling on JIRA to check the difference: Example 1: Issue with 858 entries on history: noformat 2015-10-21...

Bad performance noticed on issues with long history

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-45903. panel Performing some testing with JIRA 6.4.5, I've noticed that there is a huge difference when logging work on an issue with no...

Bad performance noticed on issues with long history

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-45903. panel Performing some testing with JIRA 6.4.5, I've noticed that there is a huge difference when logging work on an issue with no...

XSS in review file paths

We have identified a XSS vulnerability introduced in Crucible 3.9.0. Fix was included in 3.9.1 version released publicly on September 10th, 2015...

XSS in review file paths

We have identified a XSS vulnerability introduced in Crucible 3.9.0. Fix was included in 3.9.1 version released publicly on September 10th, 2015...

CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface...

CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface...

Cross-Site Scripting in subscribetocalendar.action

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48910. panel The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and...

Cross-Site Scripting in subscribetocalendar.action

The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and is susceptible to cross-site scripting. Steps to Reproduce: Start a proxy tool such as Burp Suite. Log into a Confluence instance with Team Calendars installed. Use the proxy tool t...

Cross-Site Scripting in subscribetocalendar.action

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48910. panel The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and...

Cross-Site Scripting in subscribetocalendar.action

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-48910. panel The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' an...

Active Directory/LDAP credentials stored in database in cleartext

We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data. We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database. Anyone who is able to compromise...

Active Directory/LDAP credentials stored in database in cleartext

We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data. We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database. Anyone who is able to compromise...

Active Directory/LDAP credentials stored in database in cleartext

We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data. We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database. Anyone who is able to compromise...

Prevent Activity feed information leakage by allowing permanently disabling of it

It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances, internal and external, which are connected one to another. Having them connected is clearly a business requirement for being able to cross link issues and to copy them...

Prevent Activity feed information leakage by allowing permanently disabling of it

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-45601. panel It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances,...

Prevent Activity feed information leakage by allowing permanently disabling of it

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-45601. panel It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances,...

Migrating JIRA/Confluence from Cloud to Cloud reactivates inactive users

h3. Summary Admin migrated a Cloud instance of JIRA/Confluence to a new base URL. During the migration to the new JIRA/Confluence instance, inactive users became active. h3. Environment JIRA Cloud Confluence Cloud h3. Steps to Reproduce Create a user in JIRA Cloud Deactive user. Make inactive...

Migrating JIRA/Confluence from Cloud to Cloud reactivates inactive users

h3. Summary Admin migrated a Cloud instance of JIRA/Confluence to a new base URL. During the migration to the new JIRA/Confluence instance, inactive users became active. h3. Environment JIRA Cloud Confluence Cloud h3. Steps to Reproduce Create a user in JIRA Cloud Deactive user. Make inactive...