Filtered by vendor Atlassian
Subscriptions
Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-15006 | 1 Atlassian | 2 Confluence, Confluence Server | 2021-12-13 | 6.5 Medium |
| There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information. | ||||
| CVE-2020-4027 | 1 Atlassian | 2 Confluence, Confluence Server | 2021-12-13 | 4.7 Medium |
| Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1. | ||||
| CVE-2019-20102 | 1 Atlassian | 1 Confluence Server | 2021-12-13 | 6.1 Medium |
| The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. | ||||
| CVE-2019-3396 | 1 Atlassian | 2 Confluence, Confluence Server | 2021-12-13 | 9.8 Critical |
| The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | ||||
| CVE-2019-3395 | 1 Atlassian | 2 Confluence, Confluence Server | 2021-12-13 | N/A |
| The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | ||||
| CVE-2019-3394 | 1 Atlassian | 2 Confluence, Confluence Server | 2021-12-13 | N/A |
| There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. | ||||
| CVE-2017-7415 | 1 Atlassian | 1 Confluence Server | 2021-12-13 | N/A |
| Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource. | ||||
| CVE-2012-2926 | 1 Atlassian | 7 Bamboo, Confluence, Confluence Server and 4 more | 2021-12-13 | 9.1 Critical |
| Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. | ||||
| CVE-2021-41309 | 1 Atlassian | 1 Jira Software Data Center | 2021-12-09 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1. | ||||
| CVE-2021-41311 | 1 Atlassian | 1 Jira Software Data Center | 2021-12-09 | 7.5 High |
| Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1. | ||||
| CVE-2021-41312 | 1 Atlassian | 2 Data Center, Jira | 2021-11-04 | 7.5 High |
| Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1. | ||||
| CVE-2021-41310 | 1 Atlassian | 1 Jira Software Data Center | 2021-11-02 | 6.1 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1. | ||||
| CVE-2019-20101 | 1 Atlassian | 2 Data Center, Jira | 2021-10-18 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. | ||||
| CVE-2020-18684 | 1 Atlassian | 1 Floodlight | 2021-10-07 | 9.8 Critical |
| Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number. | ||||
| CVE-2020-18683 | 1 Atlassian | 1 Floodlight | 2021-10-03 | 9.8 Critical |
| Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of undefined fields mishandling. | ||||
| CVE-2020-18685 | 1 Atlassian | 1 Floodlight | 2021-10-03 | 9.8 Critical |
| Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs. | ||||
| CVE-2021-39109 | 1 Atlassian | 1 Atlasboard | 2021-09-10 | 7.5 High |
| The renderWidgetResource resource in Atlasian Atlasboard before version 1.1.9 allows remote attackers to read arbitrary files via a path traversal vulnerability. | ||||
| CVE-2021-39117 | 1 Atlassian | 2 Data Center, Jira | 2021-09-02 | 4.8 Medium |
| The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field. | ||||
| CVE-2021-37843 | 1 Atlassian | 1 Saml Single Sign On | 2021-08-11 | 9.8 Critical |
| The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9. | ||||
| CVE-2017-18113 | 1 Atlassian | 2 Data Center, Jira | 2021-08-10 | 8.8 High |
| The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. | ||||