Removing user from LDAP doesn't clear LDAP group membership

Reproduction steps: 1. Setup generic LDAP user repository RW, with jira-users, jira-developers, jira-administrators groups. 2. Create user for John Smith as [email protected]. 3. Add him to jira-administrators group. 4. Remove user [email protected] John changed the company. 5. Create user for Jake Sunny as...

Disabled user are still able to request for password reset email.

h3. Step to Reproduce: Disable a user test in Crowd administration console make sure that there is no duplicate user Request password reset for the disabled user test h3. Expected result No mail will be sent to disabled account. h3. Observerd Result. The disabled user still receive the password...

Disabled user are still able to request for password reset email.

h3. Step to Reproduce: Disable a user test in Crowd administration console make sure that there is no duplicate user Request password reset for the disabled user test h3. Expected result No mail will be sent to disabled account. h3. Observerd Result. The disabled user still receive the password...

Hide passwords in ps aux for https git tasks

When git checkout tasks configured to use HTTPS run, the user and password are exposed in ps aux: noformat bamboo 15138 0.0 0.0 86752 2224 ? S May20 0:00 git-remote-https https://gituser:[email protected]/scm/consumer/XXXX.git...

XSS in FilterSubscription

h4. To reproduce: Visit: code:none /secure/FilterSubscription!default.jspa?returnUrl=javascript:alert1 code Click "Cancel" An alert should appear This URL should be restricted to the current domain, and to http/https protocols...

XSS in FilterSubscription

h4. To reproduce: Visit: code:none /secure/FilterSubscription!default.jspa?returnUrl=javascript:alert1 code Click "Cancel" An alert should appear This URL should be restricted to the current domain, and to http/https protocols...

XSS in FilterSubscription

h4. To reproduce: Visit: code:none /secure/FilterSubscription!default.jspa?returnUrl=javascript:alert1 code Click "Cancel" An alert should appear This URL should be restricted to the current domain, and to http/https protocols...

statTypes REST API exposes all statistics field names anonymously

On an instance with no anonymous access enabled, /rest/gadget/1.0/statTypes returns a list of all stattable custom fields names and IDs in the instance in response to anonymous requests. This is a nasty exposure of data - admins have no way of knowing that private data shouldn't be put into custo...

statTypes REST API exposes all statistics field names anonymously

On an instance with no anonymous access enabled, /rest/gadget/1.0/statTypes returns a list of all stattable custom fields names and IDs in the instance in response to anonymous requests. This is a nasty exposure of data - admins have no way of knowing that private data shouldn't be put into custo...

Cannot create page/s using "Create Page" Button

We are a large corporation currently in the process of rolling out a complete Atlassian Toolchain Jira, Confluence, Bamboo, Stash within the next 4 weeks. Unfortunately in Confluence, we cannot use the "Create Page" Button, as we get the following issue regardless of when this is done or by whom:...

Cannot create page/s using "Create Page" Button

We are a large corporation currently in the process of rolling out a complete Atlassian Toolchain Jira, Confluence, Bamboo, Stash within the next 4 weeks. Unfortunately in Confluence, we cannot use the "Create Page" Button, as we get the following issue regardless of when this is done or by whom:...

Cannot create page/s using "Create Page" Button

We are a large corporation currently in the process of rolling out a complete Atlassian Toolchain Jira, Confluence, Bamboo, Stash within the next 4 weeks. Unfortunately in Confluence, we cannot use the "Create Page" Button, as we get the following issue regardless of when this is done or by whom:...

Domain restricted signup is creating enabled users on ApacheDS

When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...

Domain restricted signup is creating enabled users on ApacheDS

When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...

Domain restricted signup is creating enabled users on ApacheDS

When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...

Crowd User Directory application password stored in plain text

Table: cwddirectoryattribute Column: attributevalue How to Verify in my environment: Connect to JIRA database using psql and run query: code select attributevalue from cwddirectoryattribute where attributename = 'application.password' code Note how the returned value is the plain text value of th...

Crowd User Directory application password stored in plain text

Table: cwddirectoryattribute Column: attributevalue How to Verify in my environment: Connect to JIRA database using psql and run query: code select attributevalue from cwddirectoryattribute where attributename = 'application.password' code Note how the returned value is the plain text value of th...

Crowd User Directory application password stored in plain text

Table: cwddirectoryattribute Column: attributevalue How to Verify in my environment: Connect to JIRA database using psql and run query: code select attributevalue from cwddirectoryattribute where attributename = 'application.password' code Note how the returned value is the plain text value of th...

Stash uses plain text passwords in the database for the Crowd User Directory

I managed to accidentely lock myself out of my stash instance this morning during a routine upgrade and while looking for the name of a local stash user account I noticed that the password for the Crowd User Directory I'd setup incorrectly was stored as plain text in table cwddirectoryattribute...

Stash uses plain text passwords in the database for the Crowd User Directory

I managed to accidentely lock myself out of my stash instance this morning during a routine upgrade and while looking for the name of a local stash user account I noticed that the password for the Crowd User Directory I'd setup incorrectly was stored as plain text in table cwddirectoryattribute...

Remove url parameter support for os_username, os_password

Putting credentials in request parameters is likely to lead to those credentials being logged in access logs. h4. Workaround The following workaround is available in Jira 8.0.0 and higher versions. If you wish to prevent users from authenticating using url parameters, specifying their username &...

Remove url parameter support for os_username, os_password

Putting credentials in request parameters is likely to lead to those credentials being logged in access logs. h4. Workaround The following workaround is available in Jira 8.0.0 and higher versions. If you wish to prevent users from authenticating using url parameters, specifying their username &...

Persistent Cross Site Scripting Flaw in User Profiles

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46664. panel A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the...

Persistent Cross Site Scripting Flaw in User Profiles

A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the Atlassian ID system to contain an XSS vector which executes when inserted as a link, and clicked on by the victim. 1. Visit https://id.atlassian.com/profile/ 2. Update your Homepage...

Persistent Cross Site Scripting Flaw in User Profiles

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46664. panel A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the...

Persistent Cross Site Scripting Flaw in User Profiles

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46664. panel A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the...

Indexable User Content (Attachments) on Google

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47021. panel User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing rul...

Indexable User Content (Attachments) on Google

User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing rules such as those in /robots.txt. Additionally, such content being indexed can be removed from Google by consulting Google's Webmaster tools. An example of indexable content is below:...

Indexable User Content (Attachments) on Google

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47021. panel User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing rul...

Indexable User Content (Attachments) on Google

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47021. panel User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing...

Direct Object Reference - User Information Disclosure

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46864. panel A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious use...

Direct Object Reference - User Information Disclosure

A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious users to obtain the email address of any given ID. Additionally since the ID's are incremental, it would be possible for an attacker to gain the email addresses of every single Atlassia...

Direct Object Reference - User Information Disclosure

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46864. panel A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious use...

Direct Object Reference - User Information Disclosure

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46864. panel A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious...

Multiple CSRF vulnerabilties in Question/Answer Threads

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47240. panel Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions such...

Multiple CSRF vulnerabilties in Question/Answer Threads

Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions such as the following, if the victim visits the attackers malicious resource: Confirmed affected: - Upvoting of answers - Downvoting of answers - Deletion of answers or comments - Liking...

Multiple CSRF vulnerabilties in Question/Answer Threads

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47240. panel Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions such...

Multiple CSRF vulnerabilties in Question/Answer Threads

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47240. panel Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions suc...

CVE-2013-4590 vulnerability with Tomcat 7.0.42 shipped with Crowd 2.7.2

Crowd 2.7.2 is shipped with Tomcat 7.0.42, which is susceptible to CVE-2013-4590|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4590 h3.Workaround Deploy Crowd WAR instead, with Tomcat 7.0.50 or above. Instructions here:...

CVE-2013-4590 vulnerability with Tomcat 7.0.42 shipped with Crowd 2.7.2

Crowd 2.7.2 is shipped with Tomcat 7.0.42, which is susceptible to CVE-2013-4590|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4590 h3.Workaround Deploy Crowd WAR instead, with Tomcat 7.0.50 or above. Instructions here:...

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

h3. Steps to reproduce: Confluence 3.5.13 Installed, booted up Postregres DB Shutdown, applied patch following advisory admin panel not accessible content appears to be missing see errors in the logs: code 2014-05-22 16:28:50,308 ERROR http-8080-1 Standalone.localhost./.action log Servlet.service...

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

h3. Steps to reproduce: Confluence 3.5.13 Installed, booted up Postregres DB Shutdown, applied patch following advisory admin panel not accessible content appears to be missing see errors in the logs: code 2014-05-22 16:28:50,308 ERROR http-8080-1 Standalone.localhost./.action log Servlet.service...

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

h3. Steps to reproduce: Confluence 3.5.13 Installed, booted up Postregres DB Shutdown, applied patch following advisory admin panel not accessible content appears to be missing see errors in the logs: code 2014-05-22 16:28:50,308 ERROR http-8080-1 Standalone.localhost./.action log Servlet.service...

Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17

We recently upgraded our instance following your security advisory. It was discovered shortly after the upgrade that the xwork file that was vulnerable 1.13 was not upgraded to the safe version 1.17. This could have just been specific to our instance but you should check your upgrade process and...

Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17

We recently upgraded our instance following your security advisory. It was discovered shortly after the upgrade that the xwork file that was vulnerable 1.13 was not upgraded to the safe version 1.17. This could have just been specific to our instance but you should check your upgrade process and...

Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17

We recently upgraded our instance following your security advisory. It was discovered shortly after the upgrade that the xwork file that was vulnerable 1.13 was not upgraded to the safe version 1.17. This could have just been specific to our instance but you should check your upgrade process and...

Stored XSS in OnDemand Confluence Header via username

This is from an external report. Creating a user with username: code " code and returning to the dashboard will demonstrate the script injection. This PoC will not work in Chrome/Chromium, but will in Firefox and other browsers that do not have such protective measures...

Stored XSS in OnDemand Confluence Header via username

This is from an external report. Creating a user with username: code " code and returning to the dashboard will demonstrate the script injection. This PoC will not work in Chrome/Chromium, but will in Firefox and other browsers that do not have such protective measures...

Stored XSS in OnDemand Confluence Header via username

This is from an external report. Creating a user with username: code " code and returning to the dashboard will demonstrate the script injection. This PoC will not work in Chrome/Chromium, but will in Firefox and other browsers that do not have such protective measures...

ClassLoader manipulation vulnerability

We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user...