Atlassian Atlassian Makers of Team Collaboration tools such as Jira, Confluence, Bitbucket and more.

Do you want an email whenever new security vulnerabilities are reported in any Atlassian product?

Products by Atlassian Sorted by Most Security Vulnerabilities since 2018

Atlassian Jira110 vulnerabilities

Atlassian Crucible25 vulnerabilities

Atlassian Fisheye25 vulnerabilities

Atlassian Confluence17 vulnerabilities

Atlassian Data Center16 vulnerabilities

Atlassian Bitbucket9 vulnerabilities

Atlassian Sourcetree9 vulnerabilities

Atlassian Crowd6 vulnerabilities

Atlassian Application Links4 vulnerabilities

Atlassian Jira Service Desk4 vulnerabilities

Atlassian Bamboo3 vulnerabilities

Atlassian Hipchat3 vulnerabilities

Atlassian Crowd22 vulnerabilities

Atlassian Jira Comment1 vulnerability

Atlassian Jira Create1 vulnerability

Atlassian Cloudtoken1 vulnerability

@atlassian Tweets

RT @Confluence: Be sure to tune into our #IgniteProductivity Chat today at 1pm PT! We’ll be chatting with Molly Hellerman, Global Head of…
Tue Apr 20 16:27:36 +0000 2021

RT @FastCoWorkLife: 5 strategies for salvaging an unproductive day https://t.co/5HR8BNRwKD
Tue Apr 20 16:11:57 +0000 2021

Learn how @Postmates, @Roche, @LBGplc & @NewYorkLife overcome project complexity in Jira Cloud — and how you can vi… https://t.co/oELvg6Z81o
Tue Apr 20 16:02:17 +0000 2021

RT @Confluence: Don’t miss out! Join our webinar ✨TODAY✨ at 2pm ET / 11am PT to learn how to get the most value from #agile practices worki…
Tue Apr 20 14:44:17 +0000 2021

Join @DanielPink, NY Times best-selling author, and @domprice, Atlassian’s Work Futurist, for a conversation on mod… https://t.co/KLKsXen0O3
Mon Apr 19 20:55:27 +0000 2021

By the Year

In 2021 there have been 21 vulnerabilities in Atlassian with an average score of 5.4 out of ten. Last year Atlassian had 74 security vulnerabilities published. Right now, Atlassian is on track to have less security vulnerabilities in 2021 than it did last year. Last year, the average CVE base score was greater by 0.58

Year Vulnerabilities Average Score
2021 21 5.35
2020 74 5.93
2019 68 6.45
2018 28 6.75

It may take a day or so for new Atlassian vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Atlassian Security Vulnerabilities

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1

CVE-2020-36287 5.3 - Medium - April 09, 2021

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.

AuthZ

The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6

CVE-2021-26072 4.3 - Medium - April 01, 2021

The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.

XSPA

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1

CVE-2020-36238 5.3 - Medium - April 01, 2021

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.

AuthZ

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1

CVE-2020-36286 5.3 - Medium - April 01, 2021

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1

CVE-2021-26071 3.5 - Low - April 01, 2021

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.

Session Riding

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-26069 5.3 - Medium - March 22, 2021

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

Injection

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-26070 7.2 - High - March 22, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.

authentification

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2

CVE-2020-36240 5.3 - Medium - March 01, 2021

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Information Disclosure

The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3

CVE-2020-29448 5.3 - Medium - February 22, 2021

The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0

CVE-2020-29453 5.3 - Medium - February 22, 2021

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Directory traversal

An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15

CVE-2021-26068 8.8 - High - February 22, 2021

An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability.

Injection

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-29451 4.3 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1.

Information Disclosure

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36234 4.8 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36235 5.3 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.

Information Disclosure

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36236 6.1 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36237 5.3 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.

Information Disclosure

Affected versions of Atlassian Fisheye and Crucible

CVE-2020-14192 4.3 - Medium - February 02, 2021

Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4.

Information Disclosure

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36231 4.3 - Medium - February 02, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.

Improper Input Validation

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace

CVE-2021-26067 5.3 - Medium - January 28, 2021

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.

Information Disclosure

Affected versions of Atlassian Confluence Server and Data Center

CVE-2020-29450 6.5 - Medium - January 19, 2021

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.

Unrestricted File Upload

Affected versions of Atlassian Fisheye & Crucible

CVE-2020-29446 5.3 - Medium - January 18, 2021

Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.

Information Disclosure

Affected versions of Atlassian Crucible

CVE-2020-29447 4.3 - Medium - December 21, 2020

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5.

Unrestricted File Upload

Affected versions of Automation for Jira - Server

CVE-2020-14193 5.4 - Medium - November 30, 2020

Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The affected versions are those before version 7.1.15.

Injection

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL

CVE-2020-14190 7.5 - High - November 25, 2020

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.

AuthZ

Affected versions of Atlassian Fisheye/Crucible

CVE-2020-14191 7.5 - High - November 25, 2020

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.

AuthZ

The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1

CVE-2020-14188 9.8 - Critical - November 09, 2020

The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue.

The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2

CVE-2020-14189 9.8 - Critical - November 09, 2020

The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment.

Affected versions of Jira Server

CVE-2020-14185 5.3 - Medium - October 15, 2020

Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2.

Information Disclosure

Affected versions of Atlassian Jira Server

CVE-2020-14184 5.4 - Medium - October 12, 2020

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.

XSS

Affected versions of Jira Server & Data Center

CVE-2020-14183 4.3 - Medium - October 06, 2020

Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.

Information Disclosure

Affected versions of Atlassian Jira Service Desk Server and Data Center

CVE-2020-14180 4.3 - Medium - September 21, 2020

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are before version 4.12.0.

Information Disclosure

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-14181 5.3 - Medium - September 17, 2020

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.

Information Disclosure

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-14178 7.5 - High - September 01, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.

Information Disclosure

Affected versions of Atlassian Fisheye

CVE-2017-18112 6.5 - Medium - August 05, 2020

Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.

Information Disclosure

Affected versions of Atlassian Confluence Server and Data Center

CVE-2020-14175 5.4 - Medium - July 24, 2020

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.

XSS

The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1

CVE-2019-20901 6.1 - Medium - July 13, 2020

The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.

Open Redirect

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-14174 4.3 - Medium - July 13, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.

Improper Input Validation

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center

CVE-2019-20897 6.5 - Medium - July 13, 2020

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

Unrestricted File Upload

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20898 7.5 - High - July 13, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.

Information Disclosure

The Gadget API in Atlassian Jira Server and Data Center in affected versions

CVE-2019-20899 5.3 - Medium - July 13, 2020

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20900 4.8 - Medium - July 13, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.

XSS

Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1

CVE-2020-14170 4.3 - Medium - July 09, 2020

Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.

XSPA

Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4

CVE-2020-14171 6.5 - Medium - July 09, 2020

Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.

Cleartext Transmission of Sensitive Information

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20419 7.8 - High - July 03, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.

Untrusted Path

This issue exists to document

CVE-2020-14172 9.8 - Critical - July 03, 2020

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.

Injection

The file upload feature in Atlassian Jira Server and Data Center in affected versions

CVE-2020-14173 5.4 - Medium - July 03, 2020

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20418 6.5 - Medium - July 03, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.

NOTE: This candidate is a duplicate of CVE-2019-15011

CVE-2019-20417 6.1 - Medium - July 02, 2020

NOTE: This candidate is a duplicate of CVE-2019-15011. All CVE users should reference CVE-2019-15011 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Open Redirect

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-4022 6.1 - Medium - July 01, 2020

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

XSS

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-4024 5.4 - Medium - July 01, 2020

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

XSS

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-4025 4.8 - Medium - July 01, 2020

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.

XSS

Affected versions of Atlassian Confluence Server and Data Center

CVE-2020-4027 4.7 - Medium - July 01, 2020

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.

Injection

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1

CVE-2020-4029 4.3 - Medium - July 01, 2020

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

AuthZ

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0

CVE-2019-20408 5.3 - Medium - July 01, 2020

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

XSPA

The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2

CVE-2020-14164 6.1 - Medium - July 01, 2020

The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.

XSS

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0

CVE-2020-14165 5.3 - Medium - July 01, 2020

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.

AuthZ

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0

CVE-2020-14166 4.8 - Medium - July 01, 2020

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.

XSS

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-14167 7.5 - High - July 01, 2020

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-14168 5.9 - Medium - July 01, 2020

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.

Information Disclosure

The quick search component in Atlassian Jira Server and Data Center before 8.9.1

CVE-2020-14169 6.1 - Medium - July 01, 2020

The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability

XSS

Atlassian Jira Server and Data Center in affected versions

CVE-2019-20415 4.3 - Medium - June 30, 2020

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.

Session Riding

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20416 4.8 - Medium - June 30, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20414 5.4 - Medium - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20410 6.5 - Medium - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.

Information Disclosure

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20411 4.3 - Medium - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Session Riding

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center

CVE-2019-20412 5.3 - Medium - June 29, 2020

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

authentification

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20413 7.5 - High - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Improper Input Validation

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have

CVE-2020-4028 5.3 - Medium - June 23, 2020

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.

Side Channel Attack

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0

CVE-2019-20409 9.8 - Critical - June 23, 2020

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.

Injection

The review resource in Atlassian Fisheye and Crucible before version 4.8.1

CVE-2020-4013 5.4 - Medium - June 01, 2020

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.

XSS

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1

CVE-2020-4014 4.3 - Medium - June 01, 2020

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability.

AuthZ

The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1

CVE-2020-4015 4.3 - Medium - June 01, 2020

The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a information disclosure vulnerability.

Information Disclosure

The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1

CVE-2020-4016 5.3 - Medium - June 01, 2020

The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability.

Information Disclosure

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1

CVE-2020-4017 5.3 - Medium - June 01, 2020

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability.

Information Disclosure

The setup resources in Atlassian Fisheye and Crucible before version 4.8.1

CVE-2020-4018 8.8 - High - June 01, 2020

The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery (CSRF) vulnerability.

Session Riding

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center

CVE-2020-4021 5.4 - Medium - June 01, 2020

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.

XSS

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2

CVE-2020-4023 5.4 - Medium - June 01, 2020

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.

XSS

The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5

CVE-2019-20102 6.1 - Medium - April 22, 2020

The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter.

XSS

Subversion ALM for the enterprise before 8.8.2

CVE-2020-9344 6.1 - Medium - March 20, 2020

Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations.

XSS

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products

CVE-2019-20105 4.9 - Medium - March 17, 2020

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.

Missing Authentication for Critical Function

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects

CVE-2019-20407 4.3 - Medium - March 17, 2020

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

AuthZ

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF)

CVE-2019-20098 4.3 - Medium - February 12, 2020

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Session Riding

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF)

CVE-2019-20099 4.3 - Medium - February 12, 2020

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Session Riding

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF)

CVE-2019-20100 4.7 - Medium - February 12, 2020

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Session Riding

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1

CVE-2019-20104 7.5 - High - February 06, 2020

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.

XEE

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1

CVE-2019-20106 4.3 - Medium - February 06, 2020

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

Incorrect Default Permissions

The usage of Tomcat in Jira before version 8.5.2

CVE-2019-20400 7.8 - High - February 06, 2020

The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability.

Untrusted Path

Various installation setup resources in Jira before version 8.5.2

CVE-2019-20401 6.5 - Medium - February 06, 2020

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

Session Riding

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password

CVE-2019-20402 4.9 - Medium - February 06, 2020

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.

The API in Atlassian Jira Server and Data Center before version 8.6.0

CVE-2019-20403 5.3 - Medium - February 06, 2020

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability.

Information Disclosure

The API in Atlassian Jira Server and Data Center before version 8.6.0

CVE-2019-20404 4.3 - Medium - February 06, 2020

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0

CVE-2019-20405 4.3 - Medium - February 06, 2020

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.

Session Riding

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability

CVE-2019-15010 8.8 - High - January 15, 2020

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.

Command Injection

Bitbucket Server and Bitbucket Data Center from version 4.13

CVE-2019-15012 8.8 - High - January 15, 2020

Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.

Improper Privilege Management

Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability

CVE-2019-20097 8.8 - High - January 15, 2020

Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content.

There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center

CVE-2019-15006 6.5 - Medium - December 19, 2019

There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information.

Improper Control of Dynamically-Managed Code Resources

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2

CVE-2019-15013 4.3 - Medium - December 18, 2019

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.

AuthZ

The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users

CVE-2019-15011 4.3 - Medium - December 17, 2019

The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check.

Incorrect Default Permissions

An issue was discovered in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence

CVE-2019-13347 7.5 - High - December 13, 2019

An issue was discovered in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence, versions 2.4.0 through 3.0.3 for Bitbucket, and versions 2.4.0 through 2.5.2 for Bamboo. It allows locally disabled users to reactivate their accounts just by browsing the affected Jira/Confluence/Bitbucket/Bamboo instance, even when the applicable configuration option of the plugin has been disabled ("Reactivate inactive users"). Exploiting this vulnerability requires an attacker to be authorized by the identity provider and requires that the plugin's configuration option "User Update Method" have the "Update from SAML Attributes" value.

The review resource in Atlassian Fisheye and Crucible before version 4.7.3

CVE-2019-15007 4.8 - Medium - December 11, 2019

The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.