Jira Software Data Center Atlassian Jira Software Data Center

Do you want an email whenever new security vulnerabilities are reported in Atlassian Jira Software Data Center?

By the Year

In 2024 there have been 0 vulnerabilities in Atlassian Jira Software Data Center . Jira Software Data Center did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 1 7.20
2021 14 6.13
2020 39 5.67
2019 0 0.00
2018 0 0.00

It may take a day or so for new Jira Software Data Center vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Atlassian Jira Software Data Center Security Vulnerabilities

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented

CVE-2021-43944 7.2 - High - March 08, 2022

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.

Code Injection

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41309 5.3 - Medium - December 08, 2021

Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1.

authentification

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account

CVE-2021-41311 7.5 - High - December 08, 2021

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1.

authentification

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41310 6.1 - Medium - November 01, 2021

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41313 4.3 - Medium - November 01, 2021

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7.

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41308 6.5 - Medium - October 26, 2021

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41307 7.5 - High - October 26, 2021

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.

Insecure Direct Object Reference / IDOR

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41306 7.5 - High - October 26, 2021

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.

Insecure Direct Object Reference / IDOR

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41305 7.5 - High - October 26, 2021

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..

Insecure Direct Object Reference / IDOR

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-41304 6.1 - Medium - October 26, 2021

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-39126 6.5 - Medium - October 21, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

Session Riding

Affected versions of Atlassian Jira Server and Data Center

CVE-2021-39127 5.3 - Medium - October 21, 2021

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36236 6.1 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36235 5.3 - Medium - February 15, 2021

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-36231 4.3 - Medium - February 02, 2021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.

Insecure Direct Object Reference / IDOR

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-14178 7.5 - High - September 01, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.

Affected versions of Atlassian Jira Server and Data Center

CVE-2020-14174 4.3 - Medium - July 13, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.

Insecure Direct Object Reference / IDOR

The Gadget API in Atlassian Jira Server and Data Center in affected versions

CVE-2019-20899 5.3 - Medium - July 13, 2020

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20900 4.8 - Medium - July 13, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20898 7.5 - High - July 13, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.

Information Disclosure

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center

CVE-2019-20897 6.5 - Medium - July 13, 2020

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

Unrestricted File Upload

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20419 7.8 - High - July 03, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.

DLL preloading

The file upload feature in Atlassian Jira Server and Data Center in affected versions

CVE-2020-14173 5.4 - Medium - July 03, 2020

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

XSS

This issue exists to document

CVE-2020-14172 9.8 - Critical - July 03, 2020

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.

Marshaling, Unmarshaling

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20418 6.5 - Medium - July 03, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-4022 6.1 - Medium - July 01, 2020

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

XSS

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-4024 5.4 - Medium - July 01, 2020

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

XSS

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-4025 4.8 - Medium - July 01, 2020

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.

XSS

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1

CVE-2020-4029 4.3 - Medium - July 01, 2020

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2

CVE-2020-14164 6.1 - Medium - July 01, 2020

The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.

XSS

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0

CVE-2020-14165 5.3 - Medium - July 01, 2020

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.

AuthZ

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0

CVE-2020-14166 4.8 - Medium - July 01, 2020

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.

XSS

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-14167 7.5 - High - July 01, 2020

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1

CVE-2020-14168 5.9 - Medium - July 01, 2020

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.

The quick search component in Atlassian Jira Server and Data Center before 8.9.1

CVE-2020-14169 6.1 - Medium - July 01, 2020

The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20416 4.8 - Medium - June 30, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.

XSS

Atlassian Jira Server and Data Center in affected versions

CVE-2019-20415 4.3 - Medium - June 30, 2020

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.

Session Riding

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20414 5.4 - Medium - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

XSS

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20411 4.3 - Medium - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Session Riding

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20413 7.5 - High - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Affected versions of Atlassian Jira Server and Data Center

CVE-2019-20410 6.5 - Medium - June 29, 2020

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center

CVE-2019-20412 5.3 - Medium - June 29, 2020

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

authentification

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have

CVE-2020-4028 5.3 - Medium - June 23, 2020

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.

Side Channel Attack

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0

CVE-2019-20409 9.8 - Critical - June 23, 2020

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.

Injection

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center

CVE-2020-4021 5.4 - Medium - June 01, 2020

Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.

XSS

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects

CVE-2019-20407 4.3 - Medium - March 17, 2020

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

AuthZ

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF)

CVE-2019-20100 4.7 - Medium - February 12, 2020

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Session Riding

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF)

CVE-2019-20099 4.3 - Medium - February 12, 2020

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Session Riding

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF)

CVE-2019-20098 4.3 - Medium - February 12, 2020

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Session Riding

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0

CVE-2019-20405 4.3 - Medium - February 06, 2020

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.

Session Riding

The API in Atlassian Jira Server and Data Center before version 8.6.0

CVE-2019-20404 4.3 - Medium - February 06, 2020

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

The API in Atlassian Jira Server and Data Center before version 8.6.0

CVE-2019-20403 5.3 - Medium - February 06, 2020

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability.

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password

CVE-2019-20402 4.9 - Medium - February 06, 2020

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1

CVE-2019-20106 4.3 - Medium - February 06, 2020

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

Incorrect Default Permissions

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Atlassian Jira Data Center or by Atlassian? Click the Watch button to subscribe.

Atlassian
Vendor

subscribe