Atlassian Makers of Team Collaboration tools such as Jira, Confluence, Bitbucket and more.

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Atlassian product.

Products by Atlassian Sorted by Most Security Vulnerabilities since 2018

Atlassian Jira160 vulnerabilities

Atlassian Jira Server132 vulnerabilities

Atlassian Jira Data Center78 vulnerabilities

Atlassian Confluence Server42 vulnerabilities

Atlassian Crucible35 vulnerabilities

Atlassian Fisheye35 vulnerabilities

Atlassian Confluence Data Center31 vulnerabilities

Atlassian Confluence25 vulnerabilities

Atlassian Jira Service Management15 vulnerabilities

Atlassian Crowd13 vulnerabilities

Atlassian Sourcetree10 vulnerabilities

Atlassian Bamboo9 vulnerabilities

Atlassian Questions For Confluence3 vulnerabilities

Atlassian Bitbucket Data Center2 vulnerabilities

Atlassian Bamboo Data Center1 vulnerability

Atlassian Bamboo Server1 vulnerability

Atlassian Assets Discovery Data Server1 vulnerability

Atlassian Assets Discovery Data Center1 vulnerability

Atlassian Assets Discovery Cloud1 vulnerability

Atlassian Bitbucket Server1 vulnerability

Recent Atlassian Security Advisories

Advisory	Title	Published
1510670627	Security Bulletin - February 18 2025	February 18, 2025
1489803942	Security Bulletin - January 21 2025	January 21, 2025
1476624803	Security Bulletin - December 10 2024	December 10, 2024
1456179091	Security Bulletin - November 19 2024	November 19, 2024
1442910972	Security Bulletin - October 15 2024	October 15, 2024
1431249025	Security Bulletin - September 17 2024	September 17, 2024
1431535667	Security Bulletin - August 20 2024	August 20, 2024
1319242919	CVE-2023-46604 - Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server	July 24, 2024
1333990257	CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server	July 24, 2024
1417150917	Security Bulletin - July 16 2024	July 16, 2024

Known Exploited Atlassian Vulnerabilities

The following Atlassian vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Atlassian Jira Server and Data Center Path Traversal Vulnerability	Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint. CVE-2021-26086 Exploit Probability: 96.7%	November 12, 2024
Atlassian Confluence Data Center and Server Template Injection Vulnerability	Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution. CVE-2023-22527 Exploit Probability: 97.3%	January 24, 2024
Atlassian Confluence Data Center and Server Improper Authorization Vulnerability	Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an unauthenticated attacker. There is no impact on confidentiality since the attacker cannot exfiltrate any data. CVE-2023-22518 Exploit Probability: 97.1%	November 7, 2023
Atlassian Confluence Data Center and Server Privilege Escalation Vulnerability	Atlassian Confluence Data Center and Server contains a privilege escalation vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence. CVE-2023-22515 Exploit Probability: 97.2%	October 5, 2023
Atlassian Bitbucket Server and Data Center Command Injection Vulnerability	Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request. CVE-2022-36804 Exploit Probability: 97.4%	September 30, 2022
Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability	Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group. CVE-2022-26138 Exploit Probability: 96.8%	July 29, 2022
Confluence Server and Data Center Remote Code Execution Vulnerability	Versions of Confluence Server and Data Center contain a remote code execution vulnerability that allow for an unauthenticated attacker to perform arbitrary code execution. CVE-2022-26134 Exploit Probability: 97.4%	June 2, 2022
Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability	Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint. CVE-2021-26085 Exploit Probability: 95.6%	March 28, 2022
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability	Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution. CVE-2019-11581 Exploit Probability: 97.4%	March 7, 2022
Atlassian Confluence Path Traversal Vulnerability	Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confl CVE-2019-3398 Exploit Probability: 95.6%	November 3, 2021
Atlassian Confluence Server < 6.13.23, 6.14.0 - 7.12.5 Arbitrary Code Execution	Atlassian Confluence Server The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 contains an OGNL injection vulnerability which allows an attacker to execute arbitrary code. CVE-2021-26084 Exploit Probability: 97.2%	November 3, 2021
Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability	Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 befo CVE-2019-11580 Exploit Probability: 97.2%	November 3, 2021
Remote code execution via Widget Connector macro Vulnerability	Allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. CVE-2019-3396 Exploit Probability: 96.9%	November 3, 2021

Of the known exploited vulnerabilities above, 13 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 0 vulnerabilities in Atlassian. Last year, in 2024 Atlassian had 64 security vulnerabilities published. Right now, Atlassian is on track to have less security vulnerabilities in 2025 than it did last year.

Year	Vulnerabilities	Average Score
2025	0	0.00
2024	64	7.13
2023	39	7.82
2022	64	7.15
2021	86	6.38
2020	86	6.26
2019	70	6.52
2018	34	6.74

It may take a day or so for new Atlassian vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Atlassian Security Vulnerabilities

Apache Tomcat TOCTOU Race Condition Vulnerability in Default Servlet

CVE-2024-56337 - December 20, 2024

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

TOCTTOU

Spring Framework Path Traversal Vulnerability in WebMvc.fn and WebFlux.fn

CVE-2024-38819 - December 19, 2024

Apache Tomcat JSP Compilation TOCTOU Race Condition Vulnerability

CVE-2024-50379 - December 17, 2024

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

TOCTTOU

Jira Custom Node Extension Remote Code Execution Vulnerability

CVE-2024-21574 - December 12, 2024

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.

PDF Font File Exposure Vulnerability in Atlassian Confluence

CVE-2024-47579 - December 10, 2024

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability

Insertion of Sensitive Information into Externally-Accessible File or Directory

Arbitrary File Read Vulnerability in Atlassian Confluence Server PDF Export Feature

CVE-2024-47580 - December 10, 2024

An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.

Insertion of Sensitive Information into Externally-Accessible File or Directory

Confluence Data Center and Server Security Misconfiguration on Windows

CVE-2024-21703 - November 27, 2024

This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5 * Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2 * Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0 See the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ). This vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot.

Sourcetree Remote Code Execution Vulnerability

CVE-2024-21697 8.8 - High - November 19, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9 Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]). This vulnerability was reported via our Penetration Testing program.

Apache Tomcat Unchecked Error Condition in Jakarta Authentication

CVE-2024-52316 - November 18, 2024

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Unchecked Error Condition

XStream 1.4 BinaryStream Stack Overflow DoS

CVE-2024-47072 - November 08, 2024

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

Marshaling, Unmarshaling

Apache Tomcat TLS Handshake DoS

CVE-2024-38286 7.5 - High - November 07, 2024

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Allocation of Resources Without Limits or Throttling

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code

CVE-2024-47561 - October 03, 2024

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

Marshaling, Unmarshaling

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags

CVE-2024-7254 - September 19, 2024

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG

CVE-2024-45801 - September 16, 2024

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.

ReDoS

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks

CVE-2024-38816 - September 13, 2024

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty

This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0

CVE-2024-21690 - August 21, 2024

This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0

CVE-2024-21689 8 - High - August 20, 2024

This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17 Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Bug Bounty program.

axios 1.7.2 allows SSRF

CVE-2024-39338 7.5 - High - August 12, 2024

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

SSRF

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9

CVE-2024-32007 7.5 - High - July 19, 2024

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.

Vulnerability in the Oracle Java SE

CVE-2024-21147 7.4 - High - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

This High severity File Inclusion vulnerability was introduced in versions 9.0.0

CVE-2024-21687 8.1 - High - July 16, 2024

This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program.

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server

CVE-2024-21686 8.7 - High - July 16, 2024

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

XSS

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat

CVE-2024-34750 - July 03, 2024

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Resource Exhaustion

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat

CVE-2024-34750 - July 03, 2024

Resource Exhaustion

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center

CVE-2024-21685 6.5 - Medium - June 18, 2024

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to view sensitive information via an Information Disclosure vulnerability which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Jira Core Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Core Data Center 9.4: Upgrade to a release greater than or equal to 9.4.21 Jira Core Data Center 9.12: Upgrade to a release greater than or equal to 9.12.8 Jira Core Data Center 9.16: Upgrade to a release greater than or equal to 9.16.0 See the release notes. You can download the latest version of Jira Core Data Center from the download center. This vulnerability was found internally.

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server

CVE-2024-21683 - May 21, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server

CVE-2024-21683 - May 21, 2024

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context

CVE-2024-4367 8.8 - High - May 14, 2024

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS)

CVE-2024-4067 - May 14, 2024

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle

CVE-2024-4068 - May 14, 2024

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78

CVE-2024-30172 - May 14, 2024

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78

CVE-2024-29857 - May 14, 2024

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78

CVE-2024-29857 - May 14, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21094 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency)

CVE-2024-21085 - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle Java SE

CVE-2024-21068 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-21012 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-21011 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22262 - April 16, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1

CVE-2024-29131 - March 21, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Memory Corruption

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1

CVE-2024-29131 - March 21, 2024

Memory Corruption

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1

CVE-2024-29133 - March 21, 2024

Memory Corruption

This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center

CVE-2024-21677 8.8 - High - March 19, 2024

This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was reported via our Bug Bounty program.

Directory traversal

In Spring Security

CVE-2024-22257 - March 18, 2024

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

In Spring Security

CVE-2024-22257 - March 18, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g

CVE-2024-22259 - March 16, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g

CVE-2024-22259 - March 16, 2024

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

CVE-2024-23672 - March 13, 2024

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Insufficient Cleanup

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat

CVE-2024-24549 - March 13, 2024

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Improper Input Validation

An issue in Clojure versions 1.20 to 1.12.0-alpha5

CVE-2024-22871 - February 29, 2024

An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly

CVE-2023-45859 - February 28, 2024

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22243 - February 23, 2024

This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions)

CVE-2024-21682 - February 20, 2024

This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network. This Injection vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Assets Discovery customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes (https://confluence.atlassian.com/assetapps/assets-discovery-3-2-1-cloud-6-2-1-data_center-1333987182.html). You can download the latest version of Assets Discovery from the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1214668/assets-discovery?hosting=datacenter&tab=installation). This vulnerability was reported via our Penetration Testing program.

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center

CVE-2024-21678 - February 20, 2024

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2| |from 8.6.0 to 8.6.1|8.8.0 recommended| |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS| |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS| |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS| |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS| |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS| |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS| |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS| |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| Server Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended | |from 8.4.0 to 8.4.5|8.5.6 LTS recommended| |from 8.3.0 to 8.3.4|8.5.6 LTS recommended| |from 8.2.0 to 8.2.3|8.5.6 LTS recommended| |from 8.1.0 to 8.1.4|8.5.6 LTS recommended| |from 8.0.0 to 8.0.4|8.5.6 LTS recommended| |from 7.20.0 to 7.20.3|8.5.6 LTS recommended| |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS| |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS| See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was reported via our Bug Bounty program.

Bamboo SQL Injection when pgjdbc PreferQueryMode=SIMPLE

CVE-2024-1597 9.8 - Critical - February 19, 2024

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

SQL Injection

Bamboo SQL Injection when pgjdbc PreferQueryMode=SIMPLE

CVE-2024-1597 9.8 - Critical - February 19, 2024

SQL Injection

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress:

CVE-2024-25710 5.5 - Medium - February 19, 2024

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Infinite Loop

Vulnerability in the Oracle Java SE

CVE-2024-20945 4.7 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-20921 5.9 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-20919 5.9 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption)

CVE-2023-52428 7.5 - High - February 11, 2024

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Vulnerability in the Oracle Java SE

CVE-2024-20952 7.4 - High - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-20932 7.5 - High - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-20926 5.9 - Medium - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-20918 7.4 - High - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassians January Security Bulletin.

Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server

CVE-2024-21674 7.5 - High - January 16, 2024

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and does not require user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).

Code Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server

CVE-2024-21673 8.8 - High - January 16, 2024

This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).

Code Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server

CVE-2024-21672 8.8 - High - January 16, 2024

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).

Code Injection

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server

CVE-2024-21674 7.5 - High - January 16, 2024

Code Injection

This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server

CVE-2024-21673 8.8 - High - January 16, 2024

Code Injection

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server

CVE-2024-21672 8.8 - High - January 16, 2024

Code Injection

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center

CVE-2023-22526 8.8 - High - January 16, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release 7.19.17, or any higher 7.19.x release Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program

Code Injection

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center

CVE-2023-22526 8.8 - High - January 16, 2024

Code Injection

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

Injection

Amazon Ion is a Java implementation of the Ion data notation

CVE-2024-21634 7.5 - High - January 03, 2024

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Allocation of Resources Without Limits or Throttling

Amazon Ion is a Java implementation of the Ion data notation

CVE-2024-21634 7.5 - High - January 03, 2024

Allocation of Resources Without Limits or Throttling

Amazon Ion is a Java implementation of the Ion data notation

CVE-2024-21634 7.5 - High - January 03, 2024

Allocation of Resources Without Limits or Throttling

This vulnerability, if exploited

CVE-2023-22523 8.8 - High - December 06, 2023

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.

This Template Injection vulnerability

CVE-2023-22522 8.8 - High - December 06, 2023

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Publicly accessible Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See the advisory for additional details Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Injection

This Template Injection vulnerability

CVE-2023-22522 8.8 - High - December 06, 2023

Injection

Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability

CVE-2023-22524 9.8 - Critical - December 06, 2023

Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companions blocklist and MacOS Gatekeeper to allow execution of code.

This vulnerability, if exploited

CVE-2023-22523 8.8 - High - December 06, 2023

Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability

CVE-2023-22524 9.8 - Critical - December 06, 2023

This Template Injection vulnerability

CVE-2023-22522 8.8 - High - December 06, 2023

Injection

Atlassian Makers of Team Collaboration tools such as Jira, Confluence, Bitbucket and more.

Don't miss out!

Products by Atlassian Sorted by Most Security Vulnerabilities since 2018

Atlassian Jira160 vulnerabilities

Atlassian Jira Server132 vulnerabilities

Atlassian Jira Data Center78 vulnerabilities

Atlassian Confluence Server42 vulnerabilities

Atlassian Crucible35 vulnerabilities

Atlassian Fisheye35 vulnerabilities

Atlassian Confluence Data Center31 vulnerabilities

Atlassian Confluence25 vulnerabilities

Atlassian Jira Service Management15 vulnerabilities

Atlassian Crowd13 vulnerabilities

Atlassian Sourcetree10 vulnerabilities

Atlassian Bamboo9 vulnerabilities

Atlassian Questions For Confluence3 vulnerabilities

Atlassian Bitbucket Data Center2 vulnerabilities

Atlassian Bamboo Data Center1 vulnerability

Atlassian Bamboo Server1 vulnerability

Atlassian Assets Discovery Data Server1 vulnerability

Atlassian Assets Discovery Data Center1 vulnerability

Atlassian Assets Discovery Cloud1 vulnerability

Atlassian Bitbucket Server1 vulnerability

Recent Atlassian Security Advisories

Known Exploited Atlassian Vulnerabilities

By the Year

Recent Atlassian Security Vulnerabilities

Apache Tomcat TOCTOU Race Condition Vulnerability in Default Servlet CVE-2024-56337 - December 20, 2024

Spring Framework Path Traversal Vulnerability in WebMvc.fn and WebFlux.fn CVE-2024-38819 - December 19, 2024

Apache Tomcat JSP Compilation TOCTOU Race Condition Vulnerability CVE-2024-50379 - December 17, 2024

Jira Custom Node Extension Remote Code Execution Vulnerability CVE-2024-21574 - December 12, 2024

PDF Font File Exposure Vulnerability in Atlassian Confluence CVE-2024-47579 - December 10, 2024

Arbitrary File Read Vulnerability in Atlassian Confluence Server PDF Export Feature CVE-2024-47580 - December 10, 2024

Confluence Data Center and Server Security Misconfiguration on Windows CVE-2024-21703 - November 27, 2024

Sourcetree Remote Code Execution Vulnerability CVE-2024-21697 8.8 - High - November 19, 2024

Apache Tomcat Unchecked Error Condition in Jakarta Authentication CVE-2024-52316 - November 18, 2024

XStream 1.4 BinaryStream Stack Overflow DoS CVE-2024-47072 - November 08, 2024

Apache Tomcat TLS Handshake DoS CVE-2024-38286 7.5 - High - November 07, 2024

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code CVE-2024-47561 - October 03, 2024

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags CVE-2024-7254 - September 19, 2024

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG CVE-2024-45801 - September 16, 2024

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks CVE-2024-38816 - September 13, 2024

This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0 CVE-2024-21690 - August 21, 2024

This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0 CVE-2024-21689 8 - High - August 20, 2024

axios 1.7.2 allows SSRF CVE-2024-39338 7.5 - High - August 12, 2024

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 CVE-2024-32007 7.5 - High - July 19, 2024

Vulnerability in the Oracle Java SE CVE-2024-21147 7.4 - High - July 16, 2024

This High severity File Inclusion vulnerability was introduced in versions 9.0.0 CVE-2024-21687 8.1 - High - July 16, 2024

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server CVE-2024-21686 8.7 - High - July 16, 2024

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat CVE-2024-34750 - July 03, 2024

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat CVE-2024-34750 - July 03, 2024

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center CVE-2024-21685 6.5 - Medium - June 18, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server CVE-2024-21683 - May 21, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server CVE-2024-21683 - May 21, 2024

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context CVE-2024-4367 8.8 - High - May 14, 2024

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS) CVE-2024-4067 - May 14, 2024

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle CVE-2024-4068 - May 14, 2024

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78 CVE-2024-30172 - May 14, 2024

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78 CVE-2024-29857 - May 14, 2024

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78 CVE-2024-29857 - May 14, 2024

Vulnerability in the Oracle Java SE CVE-2024-21094 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency) CVE-2024-21085 - April 16, 2024

Vulnerability in the Oracle Java SE CVE-2024-21068 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE CVE-2024-21012 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE CVE-2024-21011 3.7 - Low - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g CVE-2024-22262 - April 16, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1 CVE-2024-29131 - March 21, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1 CVE-2024-29131 - March 21, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1 CVE-2024-29133 - March 21, 2024

This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center CVE-2024-21677 8.8 - High - March 19, 2024

In Spring Security CVE-2024-22257 - March 18, 2024

In Spring Security CVE-2024-22257 - March 18, 2024

In Spring Security CVE-2024-22257 - March 18, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g CVE-2024-22259 - March 16, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g CVE-2024-22259 - March 16, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g CVE-2024-22259 - March 16, 2024

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat CVE-2024-23672 - March 13, 2024

Apache Tomcat TOCTOU Race Condition Vulnerability in Default Servlet

CVE-2024-56337 - December 20, 2024

Spring Framework Path Traversal Vulnerability in WebMvc.fn and WebFlux.fn

CVE-2024-38819 - December 19, 2024

Apache Tomcat JSP Compilation TOCTOU Race Condition Vulnerability

CVE-2024-50379 - December 17, 2024

Jira Custom Node Extension Remote Code Execution Vulnerability

CVE-2024-21574 - December 12, 2024

PDF Font File Exposure Vulnerability in Atlassian Confluence

CVE-2024-47579 - December 10, 2024

Arbitrary File Read Vulnerability in Atlassian Confluence Server PDF Export Feature

CVE-2024-47580 - December 10, 2024

Confluence Data Center and Server Security Misconfiguration on Windows

CVE-2024-21703 - November 27, 2024

Sourcetree Remote Code Execution Vulnerability

CVE-2024-21697 8.8 - High - November 19, 2024

Apache Tomcat Unchecked Error Condition in Jakarta Authentication

CVE-2024-52316 - November 18, 2024

XStream 1.4 BinaryStream Stack Overflow DoS

CVE-2024-47072 - November 08, 2024

Apache Tomcat TLS Handshake DoS

CVE-2024-38286 7.5 - High - November 07, 2024

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code

CVE-2024-47561 - October 03, 2024

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags

CVE-2024-7254 - September 19, 2024

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG

CVE-2024-45801 - September 16, 2024

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks

CVE-2024-38816 - September 13, 2024

This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0

CVE-2024-21690 - August 21, 2024

This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0

CVE-2024-21689 8 - High - August 20, 2024

axios 1.7.2 allows SSRF

CVE-2024-39338 7.5 - High - August 12, 2024

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9

CVE-2024-32007 7.5 - High - July 19, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21147 7.4 - High - July 16, 2024

This High severity File Inclusion vulnerability was introduced in versions 9.0.0

CVE-2024-21687 8.1 - High - July 16, 2024

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server

CVE-2024-21686 8.7 - High - July 16, 2024

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat

CVE-2024-34750 - July 03, 2024

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat

CVE-2024-34750 - July 03, 2024

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center

CVE-2024-21685 6.5 - Medium - June 18, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server

CVE-2024-21683 - May 21, 2024

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server

CVE-2024-21683 - May 21, 2024

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context

CVE-2024-4367 8.8 - High - May 14, 2024

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS)

CVE-2024-4067 - May 14, 2024

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle

CVE-2024-4068 - May 14, 2024

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78

CVE-2024-30172 - May 14, 2024

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78

CVE-2024-29857 - May 14, 2024

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78

CVE-2024-29857 - May 14, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21094 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency)

CVE-2024-21085 - April 16, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21068 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21012 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21011 3.7 - Low - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22262 - April 16, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22262 - April 16, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1

CVE-2024-29131 - March 21, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1

CVE-2024-29131 - March 21, 2024

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1

CVE-2024-29133 - March 21, 2024

This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center

CVE-2024-21677 8.8 - High - March 19, 2024

In Spring Security

CVE-2024-22257 - March 18, 2024

In Spring Security

CVE-2024-22257 - March 18, 2024

In Spring Security

CVE-2024-22257 - March 18, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g

CVE-2024-22259 - March 16, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g

CVE-2024-22259 - March 16, 2024

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g

CVE-2024-22259 - March 16, 2024

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

CVE-2024-23672 - March 13, 2024

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat

CVE-2024-24549 - March 13, 2024

An issue in Clojure versions 1.20 to 1.12.0-alpha5

CVE-2024-22871 - February 29, 2024

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly

CVE-2023-45859 - February 28, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22243 - February 23, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22243 - February 23, 2024

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g

CVE-2024-22243 - February 23, 2024

This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions)

CVE-2024-21682 - February 20, 2024

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center

CVE-2024-21678 - February 20, 2024

Bamboo SQL Injection when pgjdbc PreferQueryMode=SIMPLE

CVE-2024-1597 9.8 - Critical - February 19, 2024

Bamboo SQL Injection when pgjdbc PreferQueryMode=SIMPLE

CVE-2024-1597 9.8 - Critical - February 19, 2024

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress:

CVE-2024-25710 5.5 - Medium - February 19, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20945 4.7 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20921 5.9 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20919 5.9 - Medium - February 17, 2024

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption)

CVE-2023-52428 7.5 - High - February 11, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20952 7.4 - High - January 16, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20932 7.5 - High - January 16, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20926 5.9 - Medium - January 16, 2024

Vulnerability in the Oracle Java SE

CVE-2024-20918 7.4 - High - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server

CVE-2024-21674 7.5 - High - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server

CVE-2023-22527 9.8 - Critical - January 16, 2024