All the vulnerabilites related to Atlassian - Jira
cve-2019-8446
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-17 00:01
Severity ?
EPSS score ?
Summary
The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69777 | x_refsource_MISC | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69777"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-16T18:06:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69777"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-8446",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69777",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69777"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8446",
"datePublished": "2019-08-23T13:49:47.890614Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-17T00:01:21.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13400
Vulnerability from cvelistv5
Published
2018-10-23 14:00
Modified
2024-09-17 01:12
Severity ?
EPSS score ?
Summary
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-68138 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/105751 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.9 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.3 Version: 7.12.0 < unspecified Version: unspecified < 7.12.3 Version: 7.13.0 < unspecified Version: unspecified < 7.13.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68138"
},
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105751"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.12.0",
"versionType": "custom"
},
{
"lessThan": "7.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator\u0027s session to access certain administrative resources without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-30T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68138"
},
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105751"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-10-23T00:00:00",
"ID": "CVE-2018-13400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.12.0"
},
{
"version_affected": "\u003c",
"version_value": "7.12.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.13.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator\u0027s session to access certain administrative resources without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68138",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68138"
},
{
"name": "105751",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105751"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13400",
"datePublished": "2018-10-23T14:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-17T01:12:10.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14173
Vulnerability from cvelistv5
Published
2020-07-03 01:50
Modified
2024-09-16 21:56
Severity ?
EPSS score ?
Summary
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70814 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.4 Version: 8.6.0 < unspecified Version: unspecified < 8.6.2 Version: 8.7.0 < unspecified Version: unspecified < 8.7.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70814"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.6.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.7.0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-03-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-03T01:50:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70814"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-03-24T00:00:00",
"ID": "CVE-2020-14173",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.6.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.7.0"
},
{
"version_affected": "\u003c",
"version_value": "8.7.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70814",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70814"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14173",
"datePublished": "2020-07-03T01:50:11.284713Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T21:56:45.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41304
Vulnerability from cvelistv5
Published
2021-10-26 04:15
Modified
2024-10-10 16:06
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72939 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.12 Version: 8.14.0 < unspecified Version: unspecified < 8.20.2 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72939"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-41304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T16:06:26.531975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T16:06:39.135Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:38:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72939"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-10-25T00:00:00",
"ID": "CVE-2021-41304",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.2"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72939",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72939"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-41304",
"datePublished": "2021-10-26T04:15:16.660922Z",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-10-10T16:06:39.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13402
Vulnerability from cvelistv5
Published
2018-10-23 14:00
Modified
2024-09-16 17:52
Severity ?
EPSS score ?
Summary
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/105751 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-68140 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.9 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.3 Version: 7.12.0 < unspecified Version: unspecified < 7.12.3 Version: 7.13.0 < unspecified Version: unspecified < 7.13.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.12.0",
"versionType": "custom"
},
{
"lessThan": "7.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-30T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-10-23T00:00:00",
"ID": "CVE-2018-13402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.12.0"
},
{
"version_affected": "\u003c",
"version_value": "7.12.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.13.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105751",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105751"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68140",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13402",
"datePublished": "2018-10-23T14:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-16T17:52:50.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8451
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-16 19:14
Severity ?
EPSS score ?
Summary
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69793 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69793"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-11T13:56:26",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69793"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-8451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.4.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69793",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69793"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8451",
"datePublished": "2019-09-11T13:56:26.397882Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-16T19:14:27.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14164
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 16:59
Severity ?
EPSS score ?
Summary
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71184 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.8.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71184"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:25",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71184"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-14164",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.8.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71184",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71184"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14164",
"datePublished": "2020-07-01T01:35:25.329086Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T16:59:07.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39125
Vulnerability from cvelistv5
Published
2021-09-14 06:15
Modified
2024-10-09 16:42
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72009 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.10 Version: 8.6.0 < unspecified Version: unspecified < 8.13.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72009"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T16:27:00.481621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T16:42:05.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T06:15:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72009"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-09-14T00:00:00",
"ID": "CVE-2021-39125",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72009",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72009"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39125",
"datePublished": "2021-09-14T06:15:09.714620Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-09T16:42:05.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20410
Vulnerability from cvelistv5
Published
2020-06-29 05:20
Modified
2024-09-17 02:16
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70884 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.6.17 Version: 7.7.0 < unspecified Version: unspecified < 7.13.9 Version: 8.0.0 < unspecified Version: unspecified < 8.4.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70884"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-29T05:20:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70884"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-03T00:00:00",
"ID": "CVE-2019-20410",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70884",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70884"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20410",
"datePublished": "2020-06-29T05:20:11.941519Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T02:16:07.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8450
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-16 19:50
Severity ?
EPSS score ?
Summary
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69795 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69795"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-11T13:56:26",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69795"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-8450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69795",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69795"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8450",
"datePublished": "2019-09-11T13:56:26.352487Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-16T19:50:40.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3400
Vulnerability from cvelistv5
Published
2019-05-03 19:26
Modified
2024-09-16 16:54
Severity ?
EPSS score ?
Summary
The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69245 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108168 | vdb-entry, x_refsource_BID |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69245"
},
{
"name": "108168",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108168"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-07T09:06:07",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69245"
},
{
"name": "108168",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108168"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-04-29T00:00:00",
"ID": "CVE-2019-3400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.0.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69245",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69245"
},
{
"name": "108168",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108168"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-3400",
"datePublished": "2019-05-03T19:26:27.890571Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-16T16:54:02.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14185
Vulnerability from cvelistv5
Published
2020-10-15 21:25
Modified
2024-09-16 16:24
Severity ?
EPSS score ?
Summary
Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71696 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.18 Version: 8.0.0 < unspecified Version: 8.6.0 < unspecified Version: unspecified < 8.12.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.12.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-15T21:25:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71696"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-10-05T00:00:00",
"ID": "CVE-2020-14185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.12.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71696",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71696"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14185",
"datePublished": "2020-10-15T21:25:13.824292Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T16:24:13.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39121
Vulnerability from cvelistv5
Published
2021-09-08 01:45
Modified
2024-10-10 15:05
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72715 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.18 Version: 8.6.0 < unspecified Version: unspecified < 8.13.10 Version: 8.14.0 < unspecified Version: unspecified < 8.18.2 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72715"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:04:51.563234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:05:06.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-08T01:45:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72715"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-18T00:00:00",
"ID": "CVE-2021-39121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.2"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72715",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72715"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39121",
"datePublished": "2021-09-08T01:45:10.564063Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-10T15:05:06.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-6831
Vulnerability from cvelistv5
Published
2009-06-08 19:00
Modified
2024-08-07 11:42
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka "Add Comment").
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/49415 | vdb-entry, x_refsource_OSVDB | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/31967 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/49416 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46168 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/32113 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46167 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:42:00.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "49415",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/49415"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29"
},
{
"name": "31967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31967"
},
{
"name": "49416",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/49416"
},
{
"name": "jira-returnurl-xss(46168)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46168"
},
{
"name": "32113",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32113"
},
{
"name": "jira-viewprofile-xss(46167)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46167"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka \"Add Comment\")."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "49415",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/49415"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29"
},
{
"name": "31967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31967"
},
{
"name": "49416",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/49416"
},
{
"name": "jira-returnurl-xss(46168)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46168"
},
{
"name": "32113",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32113"
},
{
"name": "jira-viewprofile-xss(46167)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46167"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6831",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka \"Add Comment\")."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "49415",
"refsource": "OSVDB",
"url": "http://osvdb.org/49415"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29"
},
{
"name": "31967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31967"
},
{
"name": "49416",
"refsource": "OSVDB",
"url": "http://osvdb.org/49416"
},
{
"name": "jira-returnurl-xss(46168)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46168"
},
{
"name": "32113",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32113"
},
{
"name": "jira-viewprofile-xss(46167)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46167"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6831",
"datePublished": "2009-06-08T19:00:00",
"dateReserved": "2009-06-08T00:00:00",
"dateUpdated": "2024-08-07T11:42:00.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18039
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 19:10
Severity ?
EPSS score ?
Summary
The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/103086 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-66719 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103086",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103086"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66719"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "from 6.2.1 prior to 7.4.4"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103086",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103086"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66719"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18039",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_value": "from 6.2.1 prior to 7.4.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103086",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103086"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66719",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66719"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18039",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-16T19:10:00.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18104
Vulnerability from cvelistv5
Published
2018-07-24 13:00
Modified
2024-09-16 19:46
Severity ?
EPSS score ?
Summary
The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-59980 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-59980"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-07-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-24T12:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-59980"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-07-24T00:00:00",
"ID": "CVE-2017-18104",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-59980",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-59980"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18104",
"datePublished": "2018-07-24T13:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T19:46:59.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-1500
Vulnerability from cvelistv5
Published
2020-02-13 16:02
Modified
2024-08-06 19:01
Severity ?
EPSS score ?
Summary
Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/21052 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:01:01.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html"
},
{
"name": "21052",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/21052"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T16:02:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html"
},
{
"name": "21052",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/21052"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-1500",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html",
"refsource": "MISC",
"url": "https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html"
},
{
"name": "21052",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/21052"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-1500",
"datePublished": "2020-02-13T16:02:55",
"dateReserved": "2012-03-06T00:00:00",
"dateUpdated": "2024-08-06T19:01:01.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36289
Vulnerability from cvelistv5
Published
2021-05-12 03:30
Modified
2024-10-17 14:27
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71559 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.13 Version: 8.6.0 < unspecified Version: unspecified < 8.13.5 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71559"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.7",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.17.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.7",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.17.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:13:49.870839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:27:07.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-12T03:30:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71559"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-05-12T00:00:00",
"ID": "CVE-2020-36289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71559",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71559"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36289",
"datePublished": "2021-05-12T03:30:12.264687Z",
"dateReserved": "2021-03-31T00:00:00",
"dateUpdated": "2024-10-17T14:27:07.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20899
Vulnerability from cvelistv5
Published
2020-07-13 01:00
Modified
2024-09-17 00:41
Severity ?
EPSS score ?
Summary
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70808 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.4 Version: 8.6.0 < unspecified Version: unspecified < 8.6.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70808"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-13T01:00:16",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70808"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-03-23T00:00:00",
"ID": "CVE-2019-20899",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70808",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70808"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20899",
"datePublished": "2020-07-13T01:00:16.851486Z",
"dateReserved": "2020-07-07T00:00:00",
"dateUpdated": "2024-09-17T00:41:28.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8445
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-17 02:21
Severity ?
EPSS score ?
Summary
Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69778 | x_refsource_MISC | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69778"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-16T18:06:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69778"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-8445",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69778",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69778"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8445",
"datePublished": "2019-08-23T13:49:47.839424Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-17T02:21:53.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-1164
Vulnerability from cvelistv5
Published
2010-04-20 15:00
Modified
2024-08-07 01:14
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/57827 | vdb-entry, x_refsource_XF | |
| http://jira.atlassian.com/browse/JRA-20994 | x_refsource_CONFIRM | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/57826 | vdb-entry, x_refsource_XF | |
| http://www.openwall.com/lists/oss-security/2010/04/16/3 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2010/04/16/4 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/39353 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/39485 | vdb-entry, x_refsource_BID | |
| http://jira.atlassian.com/browse/JRA-21004 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:14:06.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "jira-element-xss(57827)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jira.atlassian.com/browse/JRA-20994"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"name": "jira-groupnames-xss(57826)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
},
{
"name": "[oss-security] 20100416 CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"name": "39353",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/39353"
},
{
"name": "39485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/39485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "jira-element-xss(57827)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jira.atlassian.com/browse/JRA-20994"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"name": "jira-groupnames-xss(57826)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
},
{
"name": "[oss-security] 20100416 CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"name": "39353",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/39353"
},
{
"name": "39485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/39485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-1164",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "jira-element-xss(57827)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
},
{
"name": "http://jira.atlassian.com/browse/JRA-20994",
"refsource": "CONFIRM",
"url": "http://jira.atlassian.com/browse/JRA-20994"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"name": "jira-groupnames-xss(57826)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
},
{
"name": "[oss-security] 20100416 CVE Request: JIRA Issues",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"name": "39353",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/39353"
},
{
"name": "39485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/39485"
},
{
"name": "http://jira.atlassian.com/browse/JRA-21004",
"refsource": "CONFIRM",
"url": "http://jira.atlassian.com/browse/JRA-21004"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-1164",
"datePublished": "2010-04-20T15:00:00",
"dateReserved": "2010-03-29T00:00:00",
"dateUpdated": "2024-08-07T01:14:06.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26078
Vulnerability from cvelistv5
Published
2021-06-07 22:25
Modified
2024-10-17 14:27
Severity ?
EPSS score ?
Summary
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72392 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.14 Version: 8.6.0 < unspecified Version: unspecified < 8.13.6 Version: 8.14.0 < unspecified Version: unspecified < 8.16.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72392"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:27:29.363035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:27:52.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-28T18:06:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72392"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-05-10T00:00:00",
"ID": "CVE-2021-26078",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.16.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.16.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72392",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72392"
},
{
"name": "http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26078",
"datePublished": "2021-06-07T22:25:11.009457Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-17T14:27:52.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-6617
Vulnerability from cvelistv5
Published
2008-01-03 23:00
Modified
2024-08-07 16:11
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in 500page.jsp in JIRA Enterprise Edition before 3.12.1 allows remote attackers to inject arbitrary web script or HTML, which is not properly handled when generating error messages, as demonstrated by input originally sent in the URI to secure/CreateIssue. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/27095 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24 | x_refsource_CONFIRM | |
| http://osvdb.org/42768 | vdb-entry, x_refsource_OSVDB | |
| http://jira.atlassian.com/browse/CONF-9560 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/27954 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/27094 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:11:06.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27095",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27095"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42768",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/42768"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jira.atlassian.com/browse/CONF-9560"
},
{
"name": "27954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27954"
},
{
"name": "27094",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27094"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-12-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in 500page.jsp in JIRA Enterprise Edition before 3.12.1 allows remote attackers to inject arbitrary web script or HTML, which is not properly handled when generating error messages, as demonstrated by input originally sent in the URI to secure/CreateIssue. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-01-09T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27095",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27095"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42768",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/42768"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jira.atlassian.com/browse/CONF-9560"
},
{
"name": "27954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27954"
},
{
"name": "27094",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27094"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-6617",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in 500page.jsp in JIRA Enterprise Edition before 3.12.1 allows remote attackers to inject arbitrary web script or HTML, which is not properly handled when generating error messages, as demonstrated by input originally sent in the URI to secure/CreateIssue. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27095",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27095"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42768",
"refsource": "OSVDB",
"url": "http://osvdb.org/42768"
},
{
"name": "http://jira.atlassian.com/browse/CONF-9560",
"refsource": "CONFIRM",
"url": "http://jira.atlassian.com/browse/CONF-9560"
},
{
"name": "27954",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27954"
},
{
"name": "27094",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27094"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-6617",
"datePublished": "2008-01-03T23:00:00",
"dateReserved": "2008-01-03T00:00:00",
"dateUpdated": "2024-08-07T16:11:06.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18098
Vulnerability from cvelistv5
Published
2018-04-06 13:00
Modified
2024-09-16 18:38
Severity ?
EPSS score ?
Summary
The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-67075 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103765 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67075"
},
{
"name": "103765",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103765"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-04-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-18T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67075"
},
{
"name": "103765",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103765"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-04-06T00:00:00",
"ID": "CVE-2017-18098",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67075",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67075"
},
{
"name": "103765",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103765"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18098",
"datePublished": "2018-04-06T13:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T18:38:34.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4028
Vulnerability from cvelistv5
Published
2020-06-23 12:55
Modified
2024-09-16 16:48
Severity ?
EPSS score ?
Summary
Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71175 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71175"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-06-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-23T12:55:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71175"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-06-17T00:00:00",
"ID": "CVE-2020-4028",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sensitive Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71175",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71175"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-4028",
"datePublished": "2020-06-23T12:55:12.201289Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T16:48:18.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26083
Vulnerability from cvelistv5
Published
2021-07-20 03:25
Modified
2024-10-17 14:33
Severity ?
EPSS score ?
Summary
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72213 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.14 Version: 8.6.0 < unspecified Version: unspecified < 8.13.6 Version: 8.14.0 < unspecified Version: unspecified < 8.16.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72213"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:32:52.470378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:33:00.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T03:25:15",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72213"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-07-15T00:00:00",
"ID": "CVE-2021-26083",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.16.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.16.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72213",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72213"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26083",
"datePublished": "2021-07-20T03:25:15.828586Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-17T14:33:00.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5231
Vulnerability from cvelistv5
Published
2018-05-16 13:00
Modified
2024-09-16 20:31
Severity ?
EPSS score ?
Summary
The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104205 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-67290 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:43.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104205",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104205"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67290"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-05-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-20T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "104205",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104205"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67290"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-05-16T00:00:00",
"ID": "CVE-2018-5231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.6"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104205",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104205"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67290",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67290"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-5231",
"datePublished": "2018-05-16T13:00:00Z",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-09-16T20:31:48.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14997
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-16 18:44
Severity ?
EPSS score ?
Summary
The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69794 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69794"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "Information Exposure Through Caching (CWE-524)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-11T13:56:26",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69794"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-14997",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.4.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure Through Caching (CWE-524)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69794",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69794"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-14997",
"datePublished": "2019-09-11T13:56:26.203376Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T18:44:06.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36236
Vulnerability from cvelistv5
Published
2021-02-14 23:50
Modified
2024-09-17 02:16
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72015 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.11 Version: 8.6.0 < unspecified Version: unspecified < 8.13.3 Version: 8.14.0 < unspecified Version: unspecified < 8.15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72015"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-14T23:50:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72015"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-02-04T00:00:00",
"ID": "CVE-2020-36236",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72015",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72015"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36236",
"datePublished": "2021-02-14T23:50:13.382882Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-17T02:16:55.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13387
Vulnerability from cvelistv5
Published
2018-07-16 13:00
Modified
2024-09-17 00:25
Severity ?
EPSS score ?
Summary
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104890 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-67526 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.7 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104890",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104890"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67526"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-26T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "104890",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104890"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67526"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-07-13T00:00:00",
"ID": "CVE-2018-13387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104890",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104890"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67526",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67526"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13387",
"datePublished": "2018-07-16T13:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-17T00:25:48.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11587
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-17 02:06
Severity ?
EPSS score ?
Summary
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69782 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69782"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69782"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-11587",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.3.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69782",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69782"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11587",
"datePublished": "2019-08-23T13:49:47.620456Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-17T02:06:37.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20411
Vulnerability from cvelistv5
Published
2020-06-29 05:30
Modified
2024-09-16 17:43
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70881 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.9 Version: 8.0.0 < unspecified Version: unspecified < 8.4.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70881"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-29T05:30:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70881"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-08T00:00:00",
"ID": "CVE-2019-20411",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70881",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70881"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20411",
"datePublished": "2020-06-29T05:30:13.060776Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T17:43:47.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41307
Vulnerability from cvelistv5
Published
2021-10-26 04:15
Modified
2024-10-09 19:20
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72916 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.12 Version: 8.14.0 < unspecified Version: unspecified < 8.20.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.948Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72916"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-41307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:22:28.141294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T19:20:41.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T04:15:21",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72916"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-10-25T00:00:00",
"ID": "CVE-2021-41307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72916",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72916"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-41307",
"datePublished": "2021-10-26T04:15:21.297549Z",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-10-09T19:20:41.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14996
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-16 18:34
Severity ?
EPSS score ?
Summary
The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69790 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.3.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-11T13:56:26",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69790"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-14996",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69790",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69790"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-14996",
"datePublished": "2019-09-11T13:56:26.155628Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T18:34:31.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-2314
Vulnerability from cvelistv5
Published
2014-03-07 20:00
Modified
2024-08-06 10:06
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26 | x_refsource_CONFIRM | |
| http://www.exploit-db.com/exploits/32725 | exploit, x_refsource_EXPLOIT-DB | |
| http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
},
{
"name": "32725",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/32725"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-05-15T16:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
},
{
"name": "32725",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/32725"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2314",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
},
{
"name": "32725",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/32725"
},
{
"name": "http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html",
"refsource": "MISC",
"url": "http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2314",
"datePublished": "2014-03-07T20:00:00",
"dateReserved": "2014-03-07T00:00:00",
"dateUpdated": "2024-08-06T10:06:00.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20409
Vulnerability from cvelistv5
Published
2020-06-23 05:55
Modified
2024-09-17 02:26
Severity ?
EPSS score ?
Summary
The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70944 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.8.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70944"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.8.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-06-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-23T05:55:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70944"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-06-23T00:00:00",
"ID": "CVE-2019-20409",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.8.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability."
}
]
},
"impact": {
"cvssv3": {
"A": "N",
"AC": "H",
"AV": "L",
"C": "L",
"I": "L",
"PR": "L",
"S": "C",
"SCORE": "4.2",
"UI": "N"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70944",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70944"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20409",
"datePublished": "2020-06-23T05:55:10.632452Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T02:26:56.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16865
Vulnerability from cvelistv5
Published
2018-01-17 14:00
Modified
2024-09-17 01:30
Severity ?
EPSS score ?
Summary
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-66642 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66642"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "All versions before 7.6.1"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-17T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66642"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-01-16T00:00:00",
"ID": "CVE-2017-16865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_value": "All versions before 7.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66642",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66642"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-16865",
"datePublished": "2018-01-17T14:00:00Z",
"dateReserved": "2017-11-16T00:00:00",
"dateUpdated": "2024-09-17T01:30:44.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8447
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-16 21:02
Severity ?
EPSS score ?
Summary
The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69776 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69776"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69776"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-8447",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69776",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69776"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8447",
"datePublished": "2019-08-23T13:49:47.940864Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-16T21:02:48.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14178
Vulnerability from cvelistv5
Published
2020-09-01 04:25
Modified
2024-09-16 22:45
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71498 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.17 Version: 8.0.0 < unspecified Version: unspecified < 8.5.8 Version: 8.6.0 < unspecified Version: unspecified < 8.12.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71498"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.5.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-01T04:25:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71498"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-09-01T00:00:00",
"ID": "CVE-2020-14178",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.17"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.12.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71498",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71498"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14178",
"datePublished": "2020-09-01T04:25:13.421216Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T22:45:49.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4021
Vulnerability from cvelistv5
Published
2020-06-01 06:35
Modified
2024-09-16 16:47
Severity ?
EPSS score ?
Summary
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70923 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.5.5 Version: 8.6.0 < unspecified Version: unspecified < 8.8.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70923"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.8.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-01T06:35:33",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70923"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-23T00:00:00",
"ID": "CVE-2020-4021",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70923",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70923"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-4021",
"datePublished": "2020-06-01T06:35:33.848709Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T16:47:43.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8442
Vulnerability from cvelistv5
Published
2019-05-22 17:39
Modified
2024-09-16 17:58
Severity ?
EPSS score ?
Summary
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69241 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108460 | vdb-entry, x_refsource_BID |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69241"
},
{
"name": "108460",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108460"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-27T07:06:02",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69241"
},
{
"name": "108460",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108460"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-05-08T00:00:00",
"ID": "CVE-2019-8442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.0.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69241",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69241"
},
{
"name": "108460",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108460"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8442",
"datePublished": "2019-05-22T17:39:14.653681Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-16T17:58:53.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36288
Vulnerability from cvelistv5
Published
2021-04-14 23:45
Modified
2024-10-17 14:02
Severity ?
EPSS score ?
Summary
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72115 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.12 Version: 8.6.0 < unspecified Version: unspecified < 8.13.4 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72115"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:02:31.218815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:02:56.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T23:45:17",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72115"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-14T00:00:00",
"ID": "CVE-2020-36288",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72115",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72115"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36288",
"datePublished": "2021-04-14T23:45:17.871738Z",
"dateReserved": "2021-03-31T00:00:00",
"dateUpdated": "2024-10-17T14:02:56.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20412
Vulnerability from cvelistv5
Published
2020-06-29 05:50
Modified
2024-09-17 00:06
Severity ?
EPSS score ?
Summary
The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70882 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.9 Version: 8.0.0 < unspecified Version: unspecified < 8.4.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-29T05:50:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70882"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-08T00:00:00",
"ID": "CVE-2019-20412",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70882",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70882"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20412",
"datePublished": "2020-06-29T05:50:11.692351Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T00:06:43.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4024
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 17:15
Severity ?
EPSS score ?
Summary
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71113 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.5.5 Version: 8.6.0 < unspecified Version: unspecified < 8.8.2 Version: 8.9.0 < unspecified Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.9.0",
"versionType": "custom"
},
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:28",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71113"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-4024",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.9.0"
},
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71113",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71113"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-4024",
"datePublished": "2020-07-01T01:35:28.416457Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T17:15:19.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2926
Vulnerability from cvelistv5
Published
2012-05-22 15:00
Modified
2024-08-06 19:50
Severity ?
EPSS score ?
Summary
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75682 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/49146 | third-party-advisory, x_refsource_SECUNIA | |
| http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://osvdb.org/81993 | vdb-entry, x_refsource_OSVDB | |
| http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/53595 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75697 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:50:05.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/49146"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81993"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/49146"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81993"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2926",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/49146"
},
{
"name": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"name": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"refsource": "OSVDB",
"url": "http://osvdb.org/81993"
},
{
"name": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"name": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2926",
"datePublished": "2012-05-22T15:00:00",
"dateReserved": "2012-05-22T00:00:00",
"dateUpdated": "2024-08-06T19:50:05.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11581
Vulnerability from cvelistv5
Published
2019-08-09 19:30
Modified
2024-09-16 22:30
Severity ?
EPSS score ?
Summary
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69532 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: 4.4.0 < unspecified Version: unspecified < 7.6.14 Version: 7.7.0 < unspecified Version: unspecified < 7.13.5 Version: 8.0.0 < unspecified Version: unspecified < 8.0.3 Version: 8.1.0 < unspecified Version: unspecified < 8.1.2 Version: 8.2.0 < unspecified Version: unspecified < 8.2.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69532"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "7.6.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-07-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Template injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-09T19:30:59",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69532"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-07-10T10:00:00",
"ID": "CVE-2019-11581",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.14"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.0.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Template injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69532",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69532"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11581",
"datePublished": "2019-08-09T19:30:59.317010Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-16T22:30:27.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36238
Vulnerability from cvelistv5
Published
2021-04-01 02:30
Modified
2024-09-17 00:30
Severity ?
EPSS score ?
Summary
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72249 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.13 Version: 8.6.0 < unspecified Version: unspecified < 8.13.5 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-01T02:30:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-01T00:00:00",
"ID": "CVE-2020-36238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72249",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36238",
"datePublished": "2021-04-01T02:30:14.029329Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-17T00:30:53.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26079
Vulnerability from cvelistv5
Published
2021-06-07 22:35
Modified
2024-10-17 14:29
Severity ?
EPSS score ?
Summary
The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72396 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.15 Version: 8.6.0 < unspecified Version: unspecified < 8.13.7 Version: 8.14.0 < unspecified Version: unspecified < 8.17.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72396"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:29:12.390274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:29:23.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.17.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.17.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-07T22:35:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-05-26T00:00:00",
"ID": "CVE-2021-26079",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.15"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.17.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.15"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.17.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72396",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26079",
"datePublished": "2021-06-07T22:35:09.941016Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-17T14:29:23.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20827
Vulnerability from cvelistv5
Published
2019-08-09 19:31
Modified
2024-09-16 22:30
Severity ?
EPSS score ?
Summary
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69237 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:27.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69237"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-09T19:31:05",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69237"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-09T00:00:00",
"ID": "CVE-2018-20827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69237",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69237"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-20827",
"datePublished": "2019-08-09T19:31:05.597557Z",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-09-16T22:30:50.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26081
Vulnerability from cvelistv5
Published
2021-07-20 03:25
Modified
2024-10-11 17:18
Severity ?
EPSS score ?
Summary
REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72499 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.14 Version: 8.6.0 < unspecified Version: unspecified < 8.13.6 Version: 8.14.0 < unspecified Version: unspecified < 8.16.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72499"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-26081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:15:27.630370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:18:17.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T03:25:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72499"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-07-15T00:00:00",
"ID": "CVE-2021-26081",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.16.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.16.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72499",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72499"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26081",
"datePublished": "2021-07-20T03:25:12.678817Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-11T17:18:17.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5983
Vulnerability from cvelistv5
Published
2017-04-10 15:00
Modified
2024-08-05 15:18
Severity ?
EPSS score ?
Summary
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-64077 | x_refsource_CONFIRM | |
| https://www.kb.cert.org/vuls/id/307983 | third-party-advisory, x_refsource_CERT-VN | |
| http://www.securityfocus.com/bid/97379 | vdb-entry, x_refsource_BID | |
| http://codewhitesec.blogspot.com/2017/04/amf.html | x_refsource_MISC | |
| https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:49.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-64077"
},
{
"name": "VU#307983",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/307983"
},
{
"name": "97379",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97379"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-11T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-64077"
},
{
"name": "VU#307983",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/307983"
},
{
"name": "97379",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97379"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5983",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-64077",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-64077"
},
{
"name": "VU#307983",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/307983"
},
{
"name": "97379",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97379"
},
{
"name": "http://codewhitesec.blogspot.com/2017/04/amf.html",
"refsource": "MISC",
"url": "http://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"name": "https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5983",
"datePublished": "2017-04-10T15:00:00",
"dateReserved": "2017-02-13T00:00:00",
"dateUpdated": "2024-08-05T15:18:49.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18101
Vulnerability from cvelistv5
Published
2018-04-10 13:00
Modified
2024-09-16 17:19
Severity ?
EPSS score ?
Summary
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/103730 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-67107 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103730",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103730"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-12T09:57:02",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103730",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103730"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67107"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-04-10T00:00:00",
"ID": "CVE-2017-18101",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103730",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103730"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67107",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67107"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18101",
"datePublished": "2018-04-10T13:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T17:19:13.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3402
Vulnerability from cvelistv5
Published
2019-05-22 17:38
Modified
2024-09-16 18:59
Severity ?
EPSS score ?
Summary
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69243 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69243"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T17:38:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69243"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-05-08T00:00:00",
"ID": "CVE-2019-3402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69243",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69243"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-3402",
"datePublished": "2019-05-22T17:38:01.853029Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-16T18:59:29.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11583
Vulnerability from cvelistv5
Published
2019-06-26 15:13
Modified
2024-09-16 17:54
Severity ?
EPSS score ?
Summary
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JSWSERVER-20111 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108901 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSWSERVER-20111"
},
{
"name": "108901",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108901"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by \"Epic Name\"."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-27T08:06:03",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSWSERVER-20111"
},
{
"name": "108901",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108901"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-06-24T00:00:00",
"ID": "CVE-2019-11583",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.1.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by \"Epic Name\"."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JSWSERVER-20111",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSWSERVER-20111"
},
{
"name": "108901",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108901"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11583",
"datePublished": "2019-06-26T15:13:17.712150Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-16T17:54:52.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36237
Vulnerability from cvelistv5
Published
2021-02-14 23:55
Modified
2024-09-16 18:34
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72064 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72064"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-14T23:55:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72064"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-02-04T00:00:00",
"ID": "CVE-2020-36237",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72064",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72064"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36237",
"datePublished": "2021-02-14T23:55:12.878225Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-16T18:34:42.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18100
Vulnerability from cvelistv5
Published
2018-04-10 13:00
Modified
2024-08-05 21:13
Severity ?
EPSS score ?
Summary
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-67106 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103729 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67106"
},
{
"name": "103729",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103729"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-12T09:57:02",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67106"
},
{
"name": "103729",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103729"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"ID": "CVE-2017-18100",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67106",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67106"
},
{
"name": "103729",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103729"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18100",
"datePublished": "2018-04-10T13:00:00",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-08-05T21:13:48.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20898
Vulnerability from cvelistv5
Published
2020-07-13 00:55
Modified
2024-09-16 23:30
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70942 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.8.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70942"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.8.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-13T00:55:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70942"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-22T00:00:00",
"ID": "CVE-2019-20898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.8.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70942",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70942"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20898",
"datePublished": "2020-07-13T00:55:12.380453Z",
"dateReserved": "2020-07-07T00:00:00",
"dateUpdated": "2024-09-16T23:30:41.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36286
Vulnerability from cvelistv5
Published
2021-04-01 03:10
Modified
2024-09-16 19:24
Severity ?
EPSS score ?
Summary
The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72272 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.13 Version: 8.6.0 < unspecified Version: unspecified < 8.13.5 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72272"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists \u0026 members of groups if they are assigned to publicly visible issue field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-01T18:09:50",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72272"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-01T00:00:00",
"ID": "CVE-2020-36286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists \u0026 members of groups if they are assigned to publicly visible issue field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72272",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72272"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36286",
"datePublished": "2021-04-01T03:10:12.032285Z",
"dateReserved": "2021-03-31T00:00:00",
"dateUpdated": "2024-09-16T19:24:29.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11586
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-16 17:18
Severity ?
EPSS score ?
Summary
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69783 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69783"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69783"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-11586",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.3.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69783",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69783"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11586",
"datePublished": "2019-08-23T13:49:47.573286Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-16T17:18:14.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39117
Vulnerability from cvelistv5
Published
2021-08-30 06:30
Modified
2024-10-11 17:21
Severity ?
EPSS score ?
Summary
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72597 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.18.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72597"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39117",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:21:06.082528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:21:15.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.18.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.18.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-30T06:30:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72597"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-30T00:00:00",
"ID": "CVE-2021-39117",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.18.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.18.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72597",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72597"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39117",
"datePublished": "2021-08-30T06:30:18.840611Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-11T17:21:15.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-3338
Vulnerability from cvelistv5
Published
2006-07-03 18:00
Modified
2024-08-07 18:23
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2006/2472 | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/18575 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/27588 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/20767 | third-party-advisory, x_refsource_SECUNIA | |
| http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html | x_refsource_MISC | |
| http://www.osvdb.org/26744 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:23:21.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2006-2472",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"name": "18575",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/18575"
},
{
"name": "jira-configurereleasenote-xss(27588)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27588"
},
{
"name": "20767",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/20767"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"name": "26744",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/26744"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-06-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2006-2472",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"name": "18575",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/18575"
},
{
"name": "jira-configurereleasenote-xss(27588)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27588"
},
{
"name": "20767",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/20767"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"name": "26744",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/26744"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-3338",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2006-2472",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"name": "18575",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/18575"
},
{
"name": "jira-configurereleasenote-xss(27588)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27588"
},
{
"name": "20767",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/20767"
},
{
"name": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html",
"refsource": "MISC",
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"name": "26744",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/26744"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-3338",
"datePublished": "2006-07-03T18:00:00",
"dateReserved": "2006-07-03T00:00:00",
"dateUpdated": "2024-08-07T18:23:21.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14184
Vulnerability from cvelistv5
Published
2020-10-12 03:15
Modified
2024-09-17 00:10
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71652 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.9 Version: 8.6.0 < unspecified Version: unspecified < 8.12.3 Version: 8.13.0 < unspecified Version: unspecified < 8.13.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71652"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-12T03:15:14",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71652"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-10-07T00:00:00",
"ID": "CVE-2020-14184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.12.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.13.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71652",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71652"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14184",
"datePublished": "2020-10-12T03:15:14.763070Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T00:10:51.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39113
Vulnerability from cvelistv5
Published
2021-08-30 06:30
Modified
2024-10-11 19:09
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72573 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.9 Version: 8.14.0 < unspecified Version: unspecified < 8.18.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T19:00:18.342826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T19:09:34.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-30T06:30:17",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-30T00:00:00",
"ID": "CVE-2021-39113",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72573",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39113",
"datePublished": "2021-08-30T06:30:17.310271Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-11T19:09:34.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-29451
Vulnerability from cvelistv5
Published
2021-02-15 00:45
Modified
2024-09-16 16:33
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72000 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.11 Version: 8.6.0 < unspecified Version: unspecified < 8.13.3 Version: 8.14.0 < unspecified Version: unspecified < 8.14.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72000"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-15T00:45:14",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72000"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-01-20T00:00:00",
"ID": "CVE-2020-29451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72000",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72000"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-29451",
"datePublished": "2021-02-15T00:45:14.942861Z",
"dateReserved": "2020-12-01T00:00:00",
"dateUpdated": "2024-09-16T16:33:16.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-6618
Vulnerability from cvelistv5
Published
2008-01-03 23:00
Modified
2024-08-07 16:11
Severity ?
EPSS score ?
Summary
JIRA Enterprise Edition before 3.12.1 allows remote attackers to delete another user's shared filter via a modified filter ID.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/27095 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24 | x_refsource_CONFIRM | |
| http://osvdb.org/42769 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/27954 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:11:06.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27095",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27095"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42769",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/42769"
},
{
"name": "27954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27954"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-12-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "JIRA Enterprise Edition before 3.12.1 allows remote attackers to delete another user\u0027s shared filter via a modified filter ID."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-10-11T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27095",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27095"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42769",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/42769"
},
{
"name": "27954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27954"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-6618",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JIRA Enterprise Edition before 3.12.1 allows remote attackers to delete another user\u0027s shared filter via a modified filter ID."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27095",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27095"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42769",
"refsource": "OSVDB",
"url": "http://osvdb.org/42769"
},
{
"name": "27954",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27954"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-6618",
"datePublished": "2008-01-03T23:00:00",
"dateReserved": "2008-01-03T00:00:00",
"dateUpdated": "2024-08-07T16:11:06.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26075
Vulnerability from cvelistv5
Published
2021-04-14 23:45
Modified
2024-10-17 14:03
Severity ?
EPSS score ?
Summary
The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72316 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.12 Version: 8.6.0 < unspecified Version: unspecified < 8.13.4 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72316"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:03:14.202907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:03:25.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T23:45:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72316"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-14T00:00:00",
"ID": "CVE-2021-26075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72316",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72316"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26075",
"datePublished": "2021-04-14T23:45:18.560468Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-17T14:03:25.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11589
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-17 04:05
Severity ?
EPSS score ?
Summary
The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69780 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69780"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69780"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-11589",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.3.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69780",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69780"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11589",
"datePublished": "2019-08-23T13:49:47.709583Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-17T04:05:01.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4029
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 17:54
Severity ?
EPSS score ?
Summary
The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70926 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.5.5 Version: 8.6.0 < unspecified Version: unspecified < 8.7.2 Version: 8.8.0 < unspecified Version: unspecified < 8.8.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70926"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThan": "8.8.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:29",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70926"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-4029",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.7.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.8.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70926",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70926"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-4029",
"datePublished": "2020-07-01T01:35:29.763354Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T17:54:34.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20408
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 17:54
Severity ?
EPSS score ?
Summary
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71204 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.7.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71204"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:24",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71204"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2019-20408",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.7.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71204",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71204"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20408",
"datePublished": "2020-07-01T01:35:24.899286Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T17:54:00.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3403
Vulnerability from cvelistv5
Published
2019-05-22 17:35
Modified
2024-09-17 01:00
Severity ?
EPSS score ?
Summary
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69242 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69242"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T17:35:03",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69242"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-05-08T00:00:00",
"ID": "CVE-2019-3403",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.0.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69242",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69242"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-3403",
"datePublished": "2019-05-22T17:35:03.958695Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-17T01:00:56.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3401
Vulnerability from cvelistv5
Published
2019-05-22 17:27
Modified
2024-09-17 04:03
Severity ?
EPSS score ?
Summary
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69244 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69244"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T17:27:33",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69244"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-05-08T00:00:00",
"ID": "CVE-2019-3401",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69244",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69244"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-3401",
"datePublished": "2019-05-22T17:27:33.449986Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-17T04:03:54.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13391
Vulnerability from cvelistv5
Published
2018-08-28 13:00
Modified
2024-09-17 04:18
Severity ?
EPSS score ?
Summary
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/105165 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-67750 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.8 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105165",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105165"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67750"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access \u0026 view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-30T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "105165",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105165"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67750"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-08-24T00:00:00",
"ID": "CVE-2018-13391",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access \u0026 view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105165",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105165"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67750",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67750"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13391",
"datePublished": "2018-08-28T13:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-17T04:18:49.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5230
Vulnerability from cvelistv5
Published
2018-05-14 13:00
Modified
2024-09-16 23:02
Severity ?
EPSS score ?
Summary
The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-67289 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:43.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67289"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-14T12:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67289"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-05-11T00:00:00",
"ID": "CVE-2018-5230",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.6"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67289",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67289"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-5230",
"datePublished": "2018-05-14T13:00:00Z",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-09-16T23:02:02.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20416
Vulnerability from cvelistv5
Published
2020-06-30 03:00
Modified
2024-09-17 04:14
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70856 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:10.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70856"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T03:00:15",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70856"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-02T00:00:00",
"ID": "CVE-2019-20416",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70856",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70856"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20416",
"datePublished": "2020-06-30T03:00:15.866051Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T04:14:48.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41308
Vulnerability from cvelistv5
Published
2021-10-26 04:15
Modified
2024-10-09 19:23
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72940 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.6.0 Version: 8.7.0 < unspecified Version: unspecified < 8.13.12 Version: 8.14.0 < unspecified Version: unspecified < 8.20.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72940"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-41308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T19:23:07.362491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T19:23:22.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.7.0",
"versionType": "custom"
},
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.7.0",
"versionType": "custom"
},
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization (CWE-285)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T04:15:22",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72940"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-10-25T00:00:00",
"ID": "CVE-2021-41308",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.6.0"
},
{
"version_affected": "\u003e=",
"version_value": "8.7.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.6.0"
},
{
"version_affected": "\u003e=",
"version_value": "8.7.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization (CWE-285)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72940",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72940"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-41308",
"datePublished": "2021-10-26T04:15:22.911855Z",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-10-09T19:23:22.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3399
Vulnerability from cvelistv5
Published
2019-04-30 15:28
Modified
2024-09-16 17:48
Severity ?
EPSS score ?
Summary
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69246 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69246"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-04-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-30T15:28:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69246"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-04-29T00:00:00",
"ID": "CVE-2019-3399",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.0.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69246",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69246"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-3399",
"datePublished": "2019-04-30T15:28:27.874744Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-16T17:48:24.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-6832
Vulnerability from cvelistv5
Published
2009-06-08 19:00
Modified
2024-08-07 11:42
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Enterprise Edition 3.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46169 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/31967 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/49417 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/32113 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:42:00.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "jira-unspecified-csrf(46169)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46169"
},
{
"name": "31967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31967"
},
{
"name": "49417",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/49417"
},
{
"name": "32113",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Enterprise Edition 3.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "jira-unspecified-csrf(46169)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46169"
},
{
"name": "31967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31967"
},
{
"name": "49417",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/49417"
},
{
"name": "32113",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32113"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6832",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Enterprise Edition 3.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "jira-unspecified-csrf(46169)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46169"
},
{
"name": "31967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31967"
},
{
"name": "49417",
"refsource": "OSVDB",
"url": "http://osvdb.org/49417"
},
{
"name": "32113",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32113"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6832",
"datePublished": "2009-06-08T19:00:00",
"dateReserved": "2009-06-08T00:00:00",
"dateUpdated": "2024-08-07T11:42:00.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14183
Vulnerability from cvelistv5
Published
2020-10-06 22:20
Modified
2024-09-17 02:16
Severity ?
EPSS score ?
Summary
Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71646 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.18 Version: 8.0.0 < unspecified Version: unspecified < 8.5.9 Version: 8.6.0 < unspecified Version: unspecified < 8.12.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71646"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.5.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.12.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Jira Server \u0026 Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance\u0027s Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-06T22:20:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71646"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-10-05T00:00:00",
"ID": "CVE-2020-14183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.12.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Jira Server \u0026 Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance\u0027s Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71646",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71646"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14183",
"datePublished": "2020-10-06T22:20:13.382590Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T02:16:18.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14181
Vulnerability from cvelistv5
Published
2020-09-17 00:35
Modified
2024-09-16 21:57
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71560 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.6 Version: 8.0.0 < unspecified Version: unspecified < 8.5.7 Version: 8.6.0 < unspecified Version: unspecified < 8.12.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71560"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.5.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-10T17:06:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71560"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-09-16T00:00:00",
"ID": "CVE-2020-14181",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.12.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71560",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71560"
},
{
"name": "http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14181",
"datePublished": "2020-09-17T00:35:13.239120Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T21:57:12.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36287
Vulnerability from cvelistv5
Published
2021-04-09 02:00
Modified
2024-09-16 16:39
Severity ?
EPSS score ?
Summary
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72258 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.5 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72258"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-09T02:00:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72258"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-09T00:00:00",
"ID": "CVE-2020-36287",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72258",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72258"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36287",
"datePublished": "2021-04-09T02:00:14.081639Z",
"dateReserved": "2021-03-31T00:00:00",
"dateUpdated": "2024-09-16T16:39:12.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8443
Vulnerability from cvelistv5
Published
2019-05-22 17:37
Modified
2024-09-17 03:22
Severity ?
EPSS score ?
Summary
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69240 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108458 | vdb-entry, x_refsource_BID |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69240"
},
{
"name": "108458",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108458"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator\u0027s session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-27T06:06:03",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69240"
},
{
"name": "108458",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108458"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-05-08T00:00:00",
"ID": "CVE-2019-8443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.0.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator\u0027s session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69240",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69240"
},
{
"name": "108458",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108458"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8443",
"datePublished": "2019-05-22T17:37:11.201035Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-17T03:22:37.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11584
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-16 22:24
Severity ?
EPSS score ?
Summary
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69785 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69785"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69785"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-11584",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69785",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69785"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11584",
"datePublished": "2019-08-23T13:49:47.476469Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-16T22:24:53.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36231
Vulnerability from cvelistv5
Published
2021-02-01 23:40
Modified
2024-09-16 17:14
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72002 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.10 Version: 8.6.0 < unspecified Version: unspecified < 8.13.2 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72002"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-01-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-01T23:40:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72002"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-01-21T00:00:00",
"ID": "CVE-2020-36231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.2"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72002",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72002"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36231",
"datePublished": "2021-02-01T23:40:12.974592Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-16T17:14:09.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39112
Vulnerability from cvelistv5
Published
2021-08-25 02:30
Modified
2024-10-11 17:19
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72433 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.15 Version: 8.6.0 < unspecified Version: unspecified < 8.13.7 Version: 8.14.0 < unspecified Version: unspecified < 8.17.1 Version: 8.18.0 < unspecified Version: unspecified < 8.18.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72433"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:19:48.107549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:19:59.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.17.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.18.0",
"versionType": "custom"
},
{
"lessThan": "8.18.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.17.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.18.0",
"versionType": "custom"
},
{
"lessThan": "8.18.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1022",
"description": "CWE-1022: Use of Web Link to Untrusted Target with window.opener Access",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T02:30:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72433"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-24T00:00:00",
"ID": "CVE-2021-39112",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.15"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.17.1"
},
{
"version_affected": "\u003e=",
"version_value": "8.18.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.15"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.17.1"
},
{
"version_affected": "\u003e=",
"version_value": "8.18.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1022: Use of Web Link to Untrusted Target with window.opener Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72433",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72433"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39112",
"datePublished": "2021-08-25T02:30:10.338013Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-11T17:19:59.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20414
Vulnerability from cvelistv5
Published
2020-06-29 06:15
Modified
2024-09-16 22:51
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70885 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.9 Version: 8.0.0 < unspecified Version: unspecified < 8.4.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70885"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-29T06:15:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70885"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-08T00:00:00",
"ID": "CVE-2019-20414",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70885",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70885"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20414",
"datePublished": "2020-06-29T06:15:12.355063Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T22:51:46.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16863
Vulnerability from cvelistv5
Published
2018-01-18 18:00
Modified
2024-09-17 02:58
Severity ?
EPSS score ?
Summary
The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-66623 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/102732 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Atlassian Jira |
Version: All versions prior to version 7.5.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66623"
},
{
"name": "102732",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Atlassian Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 7.5.3"
}
]
}
],
"datePublic": "2018-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-20T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66623"
},
{
"name": "102732",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102732"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-01-14T00:00:00",
"ID": "CVE-2017-16863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Atlassian Jira",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 7.5.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66623",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66623"
},
{
"name": "102732",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102732"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-16863",
"datePublished": "2018-01-18T18:00:00Z",
"dateReserved": "2017-11-16T00:00:00",
"dateUpdated": "2024-09-17T02:58:19.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18033
Vulnerability from cvelistv5
Published
2018-01-18 14:00
Modified
2024-09-17 03:53
Severity ?
EPSS score ?
Summary
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/102744 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-66643 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "102744",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102744"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66643"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "All versions before 7.6.1"
}
]
}
],
"datePublic": "2018-01-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-22T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "102744",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102744"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66643"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-01-17T00:00:00",
"ID": "CVE-2017-18033",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_value": "All versions before 7.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102744",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102744"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66643",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66643"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18033",
"datePublished": "2018-01-18T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-17T03:53:11.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20826
Vulnerability from cvelistv5
Published
2019-08-09 19:31
Modified
2024-09-17 00:01
Severity ?
EPSS score ?
Summary
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69239 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:28.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69239"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-09T19:31:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69239"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-09T00:00:00",
"ID": "CVE-2018-20826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.12.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69239",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69239"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-20826",
"datePublished": "2019-08-09T19:31:09.865647Z",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-09-17T00:01:48.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4022
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-17 03:43
Severity ?
EPSS score ?
Summary
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71107 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.5.5 Version: 8.6.0 < unspecified Version: unspecified < 8.8.2 Version: 8.9.0 < unspecified Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.9.0",
"versionType": "custom"
},
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71107"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-4022",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.9.0"
},
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71107",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71107"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-4022",
"datePublished": "2020-07-01T01:35:27.992219Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-17T03:43:04.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-4319
Vulnerability from cvelistv5
Published
2017-04-10 03:00
Modified
2024-08-06 00:25
Severity ?
EPSS score ?
Summary
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/97517 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240&version=62034 | x_refsource_CONFIRM | |
| https://jira.atlassian.com/browse/JRASERVER-61803 | x_refsource_MISC | |
| https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016 | x_refsource_CONFIRM | |
| https://jira.atlassian.com/browse/JRA-61803 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Atlassian JIRA Server before 7.1.9 |
Version: Atlassian JIRA Server before 7.1.9 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:25:14.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97517",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97517"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61803"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRA-61803"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Atlassian JIRA Server before 7.1.9",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Atlassian JIRA Server before 7.1.9"
}
]
}
],
"datePublic": "2017-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-15T22:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "97517",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97517"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61803"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRA-61803"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-4319",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Atlassian JIRA Server before 7.1.9",
"version": {
"version_data": [
{
"version_value": "Atlassian JIRA Server before 7.1.9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97517",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97517"
},
{
"name": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-61803",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-61803"
},
{
"name": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"name": "https://jira.atlassian.com/browse/JRA-61803",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRA-61803"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-4319",
"datePublished": "2017-04-10T03:00:00",
"dateReserved": "2016-04-27T00:00:00",
"dateUpdated": "2024-08-06T00:25:14.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-4318
Vulnerability from cvelistv5
Published
2017-04-10 03:00
Modified
2024-08-06 00:25
Severity ?
EPSS score ?
Summary
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRA-61861 | x_refsource_MISC | |
| https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240&version=62034 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-61861 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/97516 | vdb-entry, x_refsource_BID | |
| https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Atlassian JIRA Server before 7.1.9 |
Version: Atlassian JIRA Server before 7.1.9 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:25:14.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRA-61861"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61861"
},
{
"name": "97516",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97516"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Atlassian JIRA Server before 7.1.9",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Atlassian JIRA Server before 7.1.9"
}
]
}
],
"datePublic": "2017-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-15T22:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRA-61861"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61861"
},
{
"name": "97516",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97516"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-4318",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Atlassian JIRA Server before 7.1.9",
"version": {
"version_data": [
{
"version_value": "Atlassian JIRA Server before 7.1.9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRA-61861",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRA-61861"
},
{
"name": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034",
"refsource": "MISC",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-61861",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-61861"
},
{
"name": "97516",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97516"
},
{
"name": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-4318",
"datePublished": "2017-04-10T03:00:00",
"dateReserved": "2016-04-27T00:00:00",
"dateUpdated": "2024-08-06T00:25:14.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20402
Vulnerability from cvelistv5
Published
2020-02-06 03:10
Modified
2024-09-16 18:29
Severity ?
EPSS score ?
Summary
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70564 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.6.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70564"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T03:10:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70564"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-02-04T00:00:00",
"ID": "CVE-2019-20402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.6.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70564",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70564"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20402",
"datePublished": "2020-02-06T03:10:27.208558Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T18:29:43.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36235
Vulnerability from cvelistv5
Published
2021-02-14 23:45
Modified
2024-09-16 16:24
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71950 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.2 Version: 8.14.0 < unspecified Version: unspecified < 8.14.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71950"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-14T23:45:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71950"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-02-04T00:00:00",
"ID": "CVE-2020-36235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71950",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71950"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36235",
"datePublished": "2021-02-14T23:45:12.759760Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-16T16:24:07.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20106
Vulnerability from cvelistv5
Published
2020-02-06 03:10
Modified
2024-09-17 02:12
Severity ?
EPSS score ?
Summary
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70543 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 7.13.12 Version: 8.4.1 < unspecified Version: unspecified < 8.5.4 Version: 8.6.0 < unspecified Version: unspecified < 8.6.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70543"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.4.1",
"versionType": "custom"
},
{
"lessThan": "8.5.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T03:10:25",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70543"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-02-05T00:00:00",
"ID": "CVE-2019-20106",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.4.1"
},
{
"version_affected": "\u003c",
"version_value": "8.5.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70543",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70543"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20106",
"datePublished": "2020-02-06T03:10:25.647528Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-17T02:12:10.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6285
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 01:22
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2017/Jan/41 | mailing-list, x_refsource_FULLDISC | |
| http://www.securityfocus.com/bid/95913 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRA-61888?src=confmacro&_ga=1.139403892.63283854.1485351777 | x_refsource_CONFIRM | |
| https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:22:20.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20170117 Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Jan/41"
},
{
"name": "95913",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95913"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRA-61888?src=confmacro\u0026_ga=1.139403892.63283854.1485351777"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-02T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20170117 Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Jan/41"
},
{
"name": "95913",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95913"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRA-61888?src=confmacro\u0026_ga=1.139403892.63283854.1485351777"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6285",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20170117 Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2017/Jan/41"
},
{
"name": "95913",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95913"
},
{
"name": "https://jira.atlassian.com/browse/JRA-61888?src=confmacro\u0026_ga=1.139403892.63283854.1485351777",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRA-61888?src=confmacro\u0026_ga=1.139403892.63283854.1485351777"
},
{
"name": "https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2"
},
{
"name": "http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6285",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-07-22T00:00:00",
"dateUpdated": "2024-08-06T01:22:20.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36234
Vulnerability from cvelistv5
Published
2021-02-15 00:00
Modified
2024-09-16 16:18
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72059 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.11 Version: 8.6.0 < unspecified Version: unspecified < 8.13.3 Version: 8.14.0 < unspecified Version: unspecified < 8.15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72059"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-15T00:00:15",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72059"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-02-04T00:00:00",
"ID": "CVE-2020-36234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72059",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72059"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36234",
"datePublished": "2021-02-15T00:00:15.314287Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-16T16:18:31.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15005
Vulnerability from cvelistv5
Published
2019-11-08 03:55
Modified
2024-09-16 20:31
Severity ?
EPSS score ?
Summary
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-20647 | x_refsource_MISC | |
| https://herolab.usd.de/security-advisories/usd-2019-0016/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bitbucket Server |
Version: unspecified < 6.6.0 |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Crowd",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "3.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-14T20:44:03",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-11-08T00:00:00",
"ID": "CVE-2019-15005",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.6.0"
}
]
}
},
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.0.1"
}
]
}
},
{
"product_name": "Crowd",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.6.0"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-20647",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"name": "https://herolab.usd.de/security-advisories/usd-2019-0016/",
"refsource": "MISC",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15005",
"datePublished": "2019-11-08T03:55:12.611106Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T20:31:42.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20418
Vulnerability from cvelistv5
Published
2020-07-03 01:05
Modified
2024-09-16 18:19
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70943 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.8.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70943"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.8.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Application Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-03T01:05:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70943"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-22T00:00:00",
"ID": "CVE-2019-20418",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.8.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Application Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70943",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70943"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20418",
"datePublished": "2020-07-03T01:05:13.223838Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T18:19:35.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8448
Vulnerability from cvelistv5
Published
2019-08-13 14:39
Modified
2024-09-16 22:20
Severity ?
EPSS score ?
Summary
The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69797 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69797"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-13T14:39:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69797"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-12T00:00:00",
"ID": "CVE-2019-8448",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69797",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69797"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8448",
"datePublished": "2019-08-13T14:39:56.841578Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-16T22:20:34.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39123
Vulnerability from cvelistv5
Published
2021-09-14 04:30
Modified
2024-10-10 15:24
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72237 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.16.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72237"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.16.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.16.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:22:02.815107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:24:15.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.16.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.16.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application\u0027s availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T04:30:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72237"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-09-01T00:00:00",
"ID": "CVE-2021-39123",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.16.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.16.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application\u0027s availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72237",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72237"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39123",
"datePublished": "2021-09-14T04:30:10.955180Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-10T15:24:15.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41305
Vulnerability from cvelistv5
Published
2021-10-26 04:15
Modified
2024-10-09 16:52
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72813 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.12 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:32.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72813"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-41305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T16:49:26.505533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T16:52:39.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T04:15:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72813"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-10-25T00:00:00",
"ID": "CVE-2021-41305",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72813",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72813"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-41305",
"datePublished": "2021-10-26T04:15:18.259539Z",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-10-09T16:52:39.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8449
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-17 01:01
Severity ?
EPSS score ?
Summary
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69796 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69796"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-03T18:06:04",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69796"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-8449",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.4.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69796",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69796"
},
{
"name": "http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8449",
"datePublished": "2019-09-11T13:56:26.301421Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-17T01:01:03.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2927
Vulnerability from cvelistv5
Published
2012-05-22 15:00
Modified
2024-08-06 19:50
Severity ?
EPSS score ?
Summary
The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/49166 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/81993 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/53595 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75697 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:50:05.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "49166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/49166"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81993"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "49166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/49166"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81993"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2927",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "49166",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/49166"
},
{
"name": "81993",
"refsource": "OSVDB",
"url": "http://osvdb.org/81993"
},
{
"name": "53595",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2927",
"datePublished": "2012-05-22T15:00:00",
"dateReserved": "2012-05-22T00:00:00",
"dateUpdated": "2024-08-06T19:50:05.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-2313
Vulnerability from cvelistv5
Published
2014-03-07 20:00
Modified
2024-09-16 22:46
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-07T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2313",
"datePublished": "2014-03-07T20:00:00Z",
"dateReserved": "2014-03-07T00:00:00Z",
"dateUpdated": "2024-09-16T22:46:10.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26082
Vulnerability from cvelistv5
Published
2021-07-20 03:25
Modified
2024-10-11 17:19
Severity ?
EPSS score ?
Summary
The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72393 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.14 Version: 8.6.0 < unspecified Version: unspecified < 8.13.6 Version: 8.14.0 < unspecified Version: unspecified < 8.17.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72393"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:19:09.330348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:19:19.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.17.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.17.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T03:25:14",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72393"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-07-15T00:00:00",
"ID": "CVE-2021-26082",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.17.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.17.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72393",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72393"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26082",
"datePublished": "2021-07-20T03:25:14.310371Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-11T17:19:19.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14165
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 22:26
Severity ?
EPSS score ?
Summary
The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71185 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71185"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.9.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:25",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71185"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-14165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.9.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71185",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71185"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14165",
"datePublished": "2020-07-01T01:35:25.806770Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T22:26:41.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13403
Vulnerability from cvelistv5
Published
2019-02-13 18:00
Modified
2024-09-16 18:08
Severity ?
EPSS score ?
Summary
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-68526 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68526"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.12.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-01-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-13T17:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68526"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-01-18T00:00:00",
"ID": "CVE-2018-13403",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.10"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.12.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.13.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68526",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68526"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13403",
"datePublished": "2019-02-13T18:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-16T18:08:58.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39119
Vulnerability from cvelistv5
Published
2021-09-01 22:50
Modified
2024-10-11 19:07
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72737 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.19.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72737"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T19:05:47.309241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T19:07:45.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T22:50:08",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72737"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-30T00:00:00",
"ID": "CVE-2021-39119",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.19.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.19.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72737",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72737"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39119",
"datePublished": "2021-09-01T22:50:08.590435Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-11T19:07:45.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26070
Vulnerability from cvelistv5
Published
2021-03-22 04:40
Modified
2024-09-16 19:42
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72029 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.3 Version: 8.14.0 < unspecified Version: unspecified < 8.14.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72029"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-01-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-22T04:40:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72029"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-01-27T00:00:00",
"ID": "CVE-2021-26070",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72029",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72029"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26070",
"datePublished": "2021-03-22T04:40:11.930398Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T19:42:02.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39122
Vulnerability from cvelistv5
Published
2021-09-08 02:05
Modified
2024-10-10 15:17
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72293 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.13 Version: 8.6.0 < unspecified Version: unspecified < 8.13.5 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.788Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72293"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:05:24.383108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:17:51.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users\u0027 emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-08T02:05:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72293"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-09-01T00:00:00",
"ID": "CVE-2021-39122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users\u0027 emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72293",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72293"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39122",
"datePublished": "2021-09-08T02:05:10.176915Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-10T15:17:51.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16864
Vulnerability from cvelistv5
Published
2018-01-12 14:00
Modified
2024-09-16 23:31
Severity ?
EPSS score ?
Summary
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/102505 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-66624 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "102505",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102505"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66624"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 7.4.2"
}
]
}
],
"datePublic": "2018-01-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-16T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "102505",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102505"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66624"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-01-11T00:00:00",
"ID": "CVE-2017-16864",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_value": "prior to 7.4.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102505",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102505"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66624",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66624"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-16864",
"datePublished": "2018-01-12T14:00:00Z",
"dateReserved": "2017-11-16T00:00:00",
"dateUpdated": "2024-09-16T23:31:30.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39124
Vulnerability from cvelistv5
Published
2021-09-14 04:20
Modified
2024-10-10 15:21
Severity ?
EPSS score ?
Summary
The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72761 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.16.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72761"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:20:51.473446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:21:04.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.16.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.16.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T04:20:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72761"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-09-01T00:00:00",
"ID": "CVE-2021-39124",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.16.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.16.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72761",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72761"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39124",
"datePublished": "2021-09-14T04:20:09.865280Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-10T15:21:04.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20824
Vulnerability from cvelistv5
Published
2019-05-03 19:26
Modified
2024-09-17 02:37
Severity ?
EPSS score ?
Summary
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69238 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:27.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69238"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-05-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-03T19:26:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69238"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-05-01T00:00:00",
"ID": "CVE-2018-20824",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69238",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69238"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-20824",
"datePublished": "2019-05-03T19:26:27.846676Z",
"dateReserved": "2019-04-30T00:00:00",
"dateUpdated": "2024-09-17T02:37:01.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4025
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 22:03
Severity ?
EPSS score ?
Summary
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71114 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.5.5 Version: 8.6.0 < unspecified Version: unspecified < 8.8.1 Version: 8.9.0 < unspecified Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.714Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71114"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.8.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.9.0",
"versionType": "custom"
},
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:28",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71114"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-4025",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.1"
},
{
"version_affected": "\u003e=",
"version_value": "8.9.0"
},
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71114",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71114"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-4025",
"datePublished": "2020-07-01T01:35:28.857321Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T22:03:15.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39127
Vulnerability from cvelistv5
Published
2021-10-21 02:35
Modified
2024-10-10 16:05
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72003 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.10 Version: 8.6.0 < unspecified Version: unspecified < 8.13.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72003"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T16:01:59.411320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T16:05:21.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-21T02:35:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-09-14T00:00:00",
"ID": "CVE-2021-39127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72003",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39127",
"datePublished": "2021-10-21T02:35:10.353652Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-10T16:05:21.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14167
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-17 00:57
Severity ?
EPSS score ?
Summary
The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71197 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 7.13.14 Version: 8.5.0 < unspecified Version: unspecified < 8.5.5 Version: 8.8.0 < unspecified Version: unspecified < 8.8.2 Version: 8.9.0 < unspecified Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:35.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71197"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThan": "8.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.9.0",
"versionType": "custom"
},
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:26",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71197"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-14167",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.14"
},
{
"version_affected": "\u003e=",
"version_value": "8.5.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.8.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.9.0"
},
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (DoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71197",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71197"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14167",
"datePublished": "2020-07-01T01:35:26.668525Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T00:57:08.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26076
Vulnerability from cvelistv5
Published
2021-04-14 23:45
Modified
2024-10-17 14:12
Severity ?
EPSS score ?
Summary
The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72252 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.12 Version: 8.6.0 < unspecified Version: unspecified < 8.13.4 Version: 8.14.0 < unspecified Version: unspecified < 8.15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72252"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-26076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:12:15.793730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:12:32.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security Misconfiguration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T23:45:19",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72252"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-14T00:00:00",
"ID": "CVE-2021-26076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Security Misconfiguration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72252",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72252"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26076",
"datePublished": "2021-04-14T23:45:19.196220Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-10-17T14:12:32.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41312
Vulnerability from cvelistv5
Published
2021-11-03 03:50
Modified
2024-10-10 13:45
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72801 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.19.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72801"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.19.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.19.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-41312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T13:44:04.544542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T13:45:52.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.19.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.19.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication (CWE-287)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-03T03:50:33",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72801"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-10-26T00:00:00",
"ID": "CVE-2021-41312",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.19.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.19.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication (CWE-287)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72801",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72801"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-41312",
"datePublished": "2021-11-03T03:50:33.432948Z",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-10-10T13:45:52.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13404
Vulnerability from cvelistv5
Published
2019-02-13 18:00
Modified
2024-09-16 17:28
Severity ?
EPSS score ?
Summary
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-68527 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.10 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.3 Version: 7.12.0 < unspecified Version: unspecified < 7.12.3 Version: 7.13.0 < unspecified Version: unspecified < 7.13.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68527"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.12.0",
"versionType": "custom"
},
{
"lessThan": "7.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-01-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts \u0026 open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-13T17:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68527"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-01-18T00:00:00",
"ID": "CVE-2018-13404",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.10"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.12.0"
},
{
"version_affected": "\u003c",
"version_value": "7.12.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.13.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts \u0026 open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68527",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68527"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13404",
"datePublished": "2019-02-13T18:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-16T17:28:16.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39111
Vulnerability from cvelistv5
Published
2021-08-30 06:30
Modified
2024-10-11 17:20
Severity ?
EPSS score ?
Summary
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72716 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.18 Version: 8.6.0 < unspecified Version: unspecified < 8.13.10 Version: 8.14.0 < unspecified Version: unspecified < 8.18.2 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72716"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:20:17.971122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:20:26.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-30T06:30:15",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72716"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-30T00:00:00",
"ID": "CVE-2021-39111",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.2"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.18"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72716",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72716"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39111",
"datePublished": "2021-08-30T06:30:15.787184Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-11T17:20:26.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14169
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 20:28
Severity ?
EPSS score ?
Summary
The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71205 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71205"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71205"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-14169",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71205",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71205"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14169",
"datePublished": "2020-07-01T01:35:27.569795Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T20:28:10.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14995
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-16 18:24
Severity ?
EPSS score ?
Summary
The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69792 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836 | x_refsource_MISC | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69792"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-16T18:06:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69792"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-14995",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.4.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69792",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69792"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-14995",
"datePublished": "2019-09-11T13:56:26.083003Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T18:24:24.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20101
Vulnerability from cvelistv5
Published
2021-09-14 05:10
Modified
2024-10-09 16:22
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72618 | x_refsource_MISC | |
| https://ecosystem.atlassian.net/browse/AW-20 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.3 Version: 8.14.0 < unspecified Version: unspecified < 8.14.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72618"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/AW-20"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2019-20101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T16:12:44.831752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T16:22:27.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/\u003cversion\u003e/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T05:10:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72618"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ecosystem.atlassian.net/browse/AW-20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-09-01T00:00:00",
"ID": "CVE-2019-20101",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.14.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/\u003cversion\u003e/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72618",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72618"
},
{
"name": "https://ecosystem.atlassian.net/browse/AW-20",
"refsource": "MISC",
"url": "https://ecosystem.atlassian.net/browse/AW-20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20101",
"datePublished": "2021-09-14T05:10:10.380444Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-10-09T16:22:27.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20901
Vulnerability from cvelistv5
Published
2020-07-13 04:55
Modified
2024-09-17 01:41
Severity ?
EPSS score ?
Summary
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70408 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.2 Version: 8.6.0 < unspecified Version: unspecified < 8.6.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70408"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-13T04:55:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70408"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-12-17T00:00:00",
"ID": "CVE-2019-20901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70408",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70408"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20901",
"datePublished": "2020-07-13T04:55:11.862868Z",
"dateReserved": "2020-07-07T00:00:00",
"dateUpdated": "2024-09-17T01:41:06.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20413
Vulnerability from cvelistv5
Published
2020-06-29 06:05
Modified
2024-09-16 19:41
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70883 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.9 Version: 8.0.0 < unspecified Version: unspecified < 8.4.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70883"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application\u0027s availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-29T06:05:15",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70883"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-08T00:00:00",
"ID": "CVE-2019-20413",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application\u0027s availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70883",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70883"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20413",
"datePublished": "2020-06-29T06:05:15.549519Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-16T19:41:27.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26071
Vulnerability from cvelistv5
Published
2021-04-01 02:30
Modified
2024-09-17 03:13
Severity ?
EPSS score ?
Summary
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72233 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.13 Version: 8.6.0 < unspecified Version: unspecified < 8.13.5 Version: 8.14.0 < unspecified Version: unspecified < 8.15.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72233"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-01T02:30:14",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72233"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-01T00:00:00",
"ID": "CVE-2021-26071",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72233",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72233"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26071",
"datePublished": "2021-04-01T02:30:14.635180Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T03:13:35.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43945
Vulnerability from cvelistv5
Published
2022-02-28 00:20
Modified
2024-10-04 18:12
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-73069 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.20.3 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73069"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-43945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T18:12:39.802413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T18:12:49.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.20.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.20.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-12-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting (SXSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T00:20:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73069"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-12-31T00:00:00",
"ID": "CVE-2021-43945",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.20.3"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.20.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored Cross-Site Scripting (SXSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73069",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73069"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-43945",
"datePublished": "2022-02-28T00:20:09.118520Z",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-10-04T18:12:49.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14174
Vulnerability from cvelistv5
Published
2020-07-13 04:45
Modified
2024-09-16 20:31
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71275 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.6 Version: 8.0.0 < unspecified Version: unspecified < 8.5.7 Version: 8.6.0 < unspecified Version: unspecified < 8.9.2 Version: 8.10.0 < unspecified Version: unspecified < 8.10.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71275"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.5.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.10.0",
"versionType": "custom"
},
{
"lessThan": "8.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-13T04:45:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71275"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-08T00:00:00",
"ID": "CVE-2020-14174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.9.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.10.0"
},
{
"version_affected": "\u003c",
"version_value": "8.10.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71275",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71275"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14174",
"datePublished": "2020-07-13T04:45:13.167764Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T20:31:56.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-6619
Vulnerability from cvelistv5
Published
2008-01-03 23:00
Modified
2024-08-07 16:11
Severity ?
EPSS score ?
Summary
The Setup Wizard in Atlassian JIRA Enterprise Edition before 3.12.1 does not properly restrict setup attempts after setup is complete, which allows remote attackers to change the default language.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/27095 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24 | x_refsource_CONFIRM | |
| http://osvdb.org/42770 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/27954 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:11:06.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27095",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27095"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42770",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/42770"
},
{
"name": "27954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27954"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-12-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Setup Wizard in Atlassian JIRA Enterprise Edition before 3.12.1 does not properly restrict setup attempts after setup is complete, which allows remote attackers to change the default language."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-10-11T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27095",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27095"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42770",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/42770"
},
{
"name": "27954",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27954"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-6619",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Setup Wizard in Atlassian JIRA Enterprise Edition before 3.12.1 does not properly restrict setup attempts after setup is complete, which allows remote attackers to change the default language."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27095",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27095"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"name": "42770",
"refsource": "OSVDB",
"url": "http://osvdb.org/42770"
},
{
"name": "27954",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27954"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-6619",
"datePublished": "2008-01-03T23:00:00",
"dateReserved": "2008-01-03T00:00:00",
"dateUpdated": "2024-08-07T16:11:06.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13401
Vulnerability from cvelistv5
Published
2018-10-23 14:00
Modified
2024-09-17 03:13
Severity ?
EPSS score ?
Summary
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/105751 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-68139 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.9 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.3 Version: 7.12.0 < unspecified Version: unspecified < 7.12.3 Version: 7.13.0 < unspecified Version: unspecified < 7.13.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68139"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.12.0",
"versionType": "custom"
},
{
"lessThan": "7.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-10-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user\u0027s Cross-site request forgery (CSRF) token through an open redirect vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-30T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68139"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-10-23T00:00:00",
"ID": "CVE-2018-13401",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.12.0"
},
{
"version_affected": "\u003c",
"version_value": "7.12.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.13.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user\u0027s Cross-site request forgery (CSRF) token through an open redirect vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105751",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105751"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68139",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68139"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13401",
"datePublished": "2018-10-23T14:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-17T03:13:21.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11588
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-16 16:57
Severity ?
EPSS score ?
Summary
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69781 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69781"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69781"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-11588",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.3.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69781",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69781"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11588",
"datePublished": "2019-08-23T13:49:47.662321Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-16T16:57:57.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20897
Vulnerability from cvelistv5
Published
2020-07-13 00:50
Modified
2024-09-16 17:33
Severity ?
EPSS score ?
Summary
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70813 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.4 Version: 8.6.0 < unspecified Version: unspecified < 8.6.2 Version: 8.7.0 < unspecified Version: unspecified < 8.7.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:53:09.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70813"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.6.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.7.0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-03-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-13T00:50:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70813"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-03-24T00:00:00",
"ID": "CVE-2019-20897",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.6.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.7.0"
},
{
"version_affected": "\u003c",
"version_value": "8.7.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70813",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70813"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20897",
"datePublished": "2020-07-13T00:50:11.654573Z",
"dateReserved": "2020-07-07T00:00:00",
"dateUpdated": "2024-09-16T17:33:31.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18113
Vulnerability from cvelistv5
Published
2021-08-02 02:35
Modified
2024-10-17 16:03
Severity ?
EPSS score ?
Summary
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72660 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.18.1 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72660"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.18.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.18.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2017-18113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:26:03.336929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T16:03:55.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.18.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.18.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-02T02:35:10",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72660"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-02T00:00:00",
"ID": "CVE-2017-18113",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.18.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.18.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72660",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72660"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18113",
"datePublished": "2021-08-02T02:35:10.548806Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-10-17T16:03:55.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-8444
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-16 16:33
Severity ?
EPSS score ?
Summary
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69779 | x_refsource_MISC | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69779"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-16T18:06:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69779"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-8444",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69779",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69779"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-8444",
"datePublished": "2019-08-23T13:49:47.797160Z",
"dateReserved": "2019-02-18T00:00:00",
"dateUpdated": "2024-09-16T16:33:26.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20415
Vulnerability from cvelistv5
Published
2020-06-30 02:50
Modified
2024-09-17 00:51
Severity ?
EPSS score ?
Summary
Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70849 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.3 Version: 8.0.0 < unspecified Version: unspecified < 8.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70849"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T02:50:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70849"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-01T00:00:00",
"ID": "CVE-2019-20415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70849",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70849"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20415",
"datePublished": "2020-06-30T02:50:11.721214Z",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-09-17T00:51:17.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18097
Vulnerability from cvelistv5
Published
2018-04-06 13:00
Modified
2024-09-16 22:14
Severity ?
EPSS score ?
Summary
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/103764 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-67076 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.192Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103764",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103764"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67076"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-04-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-17T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103764",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103764"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67076"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-04-06T00:00:00",
"ID": "CVE-2017-18097",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103764",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103764"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67076",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67076"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18097",
"datePublished": "2018-04-06T13:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T22:14:42.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-5319
Vulnerability from cvelistv5
Published
2013-08-20 14:00
Modified
2024-09-17 00:56
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/DeleteUser!default.jspa.
References
| ▼ | URL | Tags |
|---|---|---|
| http://cxsecurity.com/issue/WLB-2013080065 | x_refsource_MISC | |
| http://secunia.com/advisories/54417 | third-party-advisory, x_refsource_SECUNIA | |
| http://packetstormsecurity.com/files/122721 | x_refsource_MISC | |
| http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php | x_refsource_MISC | |
| https://jira.atlassian.com/i#browse/JRA-34160 | x_refsource_CONFIRM | |
| https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240&version=33790 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/61647 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRA/fixforversion/33790 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:06:52.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://cxsecurity.com/issue/WLB-2013080065"
},
{
"name": "54417",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/54417"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/122721"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/i#browse/JRA-34160"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=33790"
},
{
"name": "61647",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/61647"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRA/fixforversion/33790"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/DeleteUser!default.jspa."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-08-20T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://cxsecurity.com/issue/WLB-2013080065"
},
{
"name": "54417",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/54417"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/122721"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/i#browse/JRA-34160"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=33790"
},
{
"name": "61647",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/61647"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRA/fixforversion/33790"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5319",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/DeleteUser!default.jspa."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://cxsecurity.com/issue/WLB-2013080065",
"refsource": "MISC",
"url": "http://cxsecurity.com/issue/WLB-2013080065"
},
{
"name": "54417",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/54417"
},
{
"name": "http://packetstormsecurity.com/files/122721",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/122721"
},
{
"name": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php",
"refsource": "MISC",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php"
},
{
"name": "https://jira.atlassian.com/i#browse/JRA-34160",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/i#browse/JRA-34160"
},
{
"name": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=33790",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=33790"
},
{
"name": "61647",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/61647"
},
{
"name": "https://jira.atlassian.com/browse/JRA/fixforversion/33790",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRA/fixforversion/33790"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5319",
"datePublished": "2013-08-20T14:00:00Z",
"dateReserved": "2013-08-20T00:00:00Z",
"dateUpdated": "2024-09-17T00:56:04.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20232
Vulnerability from cvelistv5
Published
2019-02-13 18:00
Modified
2024-09-16 23:25
Severity ?
EPSS score ?
Summary
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-68614 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/107023 | vdb-entry, x_refsource_BID |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:18.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68614"
},
{
"name": "107023",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-15T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68614"
},
{
"name": "107023",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-01-25T00:00:00",
"ID": "CVE-2018-20232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.11"
},
{
"version_affected": "\u003e",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68614",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68614"
},
{
"name": "107023",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-20232",
"datePublished": "2019-02-13T18:00:00Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-16T23:25:54.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41306
Vulnerability from cvelistv5
Published
2021-10-26 04:15
Modified
2024-10-09 18:21
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72915 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.12 Version: 8.14.0 < unspecified Version: unspecified < 8.20.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72915"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-41306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:17:30.707203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:21:09.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object References (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T04:15:19",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72915"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-10-25T00:00:00",
"ID": "CVE-2021-41306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object References (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72915",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72915"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-41306",
"datePublished": "2021-10-26T04:15:19.782890Z",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-10-09T18:21:09.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43953
Vulnerability from cvelistv5
Published
2022-02-15 02:40
Modified
2024-10-08 14:38
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-73170 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.16 Version: next of 8.14.0 < unspecified Version: unspecified < 8.20.5 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:16.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73170"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-43953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:38:34.132122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:38:59.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T01:45:17",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73170"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-01-06T00:00:00",
"ID": "CVE-2021-43953",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.16"
},
{
"version_affected": "\u003e",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.5"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.16"
},
{
"version_affected": "\u003e",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.5"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73170",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73170"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-43953",
"datePublished": "2022-02-15T02:40:10.288350Z",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-10-08T14:38:59.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-1165
Vulnerability from cvelistv5
Published
2010-04-20 15:00
Modified
2024-08-07 01:14
Severity ?
EPSS score ?
Summary
Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/57828 | vdb-entry, x_refsource_XF | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16 | x_refsource_CONFIRM | |
| http://jira.atlassian.com/browse/JRA-20995 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2010/04/16/3 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2010/04/16/4 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/39353 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/39485 | vdb-entry, x_refsource_BID | |
| http://jira.atlassian.com/browse/JRA-21004 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:14:06.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "jira-pathsettings-priv-escalation(57828)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57828"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jira.atlassian.com/browse/JRA-20995"
},
{
"name": "[oss-security] 20100416 CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"name": "39353",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/39353"
},
{
"name": "39485",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/39485"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "jira-pathsettings-priv-escalation(57828)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57828"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jira.atlassian.com/browse/JRA-20995"
},
{
"name": "[oss-security] 20100416 CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"name": "39353",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/39353"
},
{
"name": "39485",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/39485"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-1165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "jira-pathsettings-priv-escalation(57828)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57828"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"name": "http://jira.atlassian.com/browse/JRA-20995",
"refsource": "CONFIRM",
"url": "http://jira.atlassian.com/browse/JRA-20995"
},
{
"name": "[oss-security] 20100416 CVE Request: JIRA Issues",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"name": "39353",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/39353"
},
{
"name": "39485",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/39485"
},
{
"name": "http://jira.atlassian.com/browse/JRA-21004",
"refsource": "CONFIRM",
"url": "http://jira.atlassian.com/browse/JRA-21004"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-1165",
"datePublished": "2010-04-20T15:00:00",
"dateReserved": "2010-03-29T00:00:00",
"dateUpdated": "2024-08-07T01:14:06.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-13395
Vulnerability from cvelistv5
Published
2018-08-28 13:00
Modified
2024-09-16 16:42
Severity ?
EPSS score ?
Summary
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-67848 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira |
Version: unspecified < 7.6.8 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.128Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67848"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-08-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-28T12:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67848"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-08-27T00:00:00",
"ID": "CVE-2018-13395",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67848",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67848"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13395",
"datePublished": "2018-08-28T13:00:00Z",
"dateReserved": "2018-07-06T00:00:00",
"dateUpdated": "2024-09-16T16:42:34.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43947
Vulnerability from cvelistv5
Published
2022-01-06 01:05
Modified
2024-10-08 14:34
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-73067 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.13.15 Version: 8.14.0 < unspecified Version: unspecified < 8.20.3 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73067"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.20.3",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.20.3",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-43947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:28:34.740441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:34:08.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-01-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution (RCE)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-06T01:05:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73067"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-01-05T00:00:00",
"ID": "CVE-2021-43947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.15"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.3"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.15"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution (RCE)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73067",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73067"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-43947",
"datePublished": "2022-01-06T01:05:10.045123Z",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-10-08T14:34:08.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5232
Vulnerability from cvelistv5
Published
2018-07-18 14:00
Modified
2024-09-16 17:37
Severity ?
EPSS score ?
Summary
The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-67410 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:33:43.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67410"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-18T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67410"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-07-18T00:00:00",
"ID": "CVE-2018-5232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-67410",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-67410"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-5232",
"datePublished": "2018-07-18T14:00:00Z",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-09-16T17:37:58.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39118
Vulnerability from cvelistv5
Published
2021-09-14 04:55
Modified
2024-10-10 15:29
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72736 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.19.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72736"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T15:27:12.798899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:29:16.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.19.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T04:55:09",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72736"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-30T00:00:00",
"ID": "CVE-2021-39118",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.19.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.19.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72736",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72736"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39118",
"datePublished": "2021-09-14T04:55:09.602733Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-10T15:29:16.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15013
Vulnerability from cvelistv5
Published
2019-12-18 03:30
Modified
2024-09-16 16:57
Severity ?
EPSS score ?
Summary
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70405 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70405"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThan": "8.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-12-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-18T03:30:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70405"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-12-18T00:00:00",
"ID": "CVE-2019-15013",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.4.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.5.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70405",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70405"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15013",
"datePublished": "2019-12-18T03:30:12.315609Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T16:57:38.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14594
Vulnerability from cvelistv5
Published
2018-01-12 14:00
Modified
2024-09-16 17:14
Severity ?
EPSS score ?
Summary
The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-66495 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:39.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66495"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior 7.2.12"
},
{
"status": "affected",
"version": "7.3.0 before 7.6.1"
}
]
}
],
"datePublic": "2017-12-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-12T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66495"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-12-18T00:00:00",
"ID": "CVE-2017-14594",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_value": "prior 7.2.12"
},
{
"version_value": "7.3.0 before 7.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66495",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66495"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-14594",
"datePublished": "2018-01-12T14:00:00Z",
"dateReserved": "2017-09-19T00:00:00",
"dateUpdated": "2024-09-16T17:14:01.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2928
Vulnerability from cvelistv5
Published
2012-05-22 15:00
Modified
2024-08-06 19:50
Severity ?
EPSS score ?
Summary
The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/49166 | third-party-advisory, x_refsource_SECUNIA | |
| http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://osvdb.org/81993 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/53595 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75697 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:50:05.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "49166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/49166"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81993"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "49166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/49166"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81993"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2928",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "49166",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/49166"
},
{
"name": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"refsource": "OSVDB",
"url": "http://osvdb.org/81993"
},
{
"name": "53595",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2928",
"datePublished": "2012-05-22T15:00:00",
"dateReserved": "2012-05-22T00:00:00",
"dateUpdated": "2024-08-06T19:50:05.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16862
Vulnerability from cvelistv5
Published
2018-01-12 14:00
Modified
2024-09-16 18:48
Severity ?
EPSS score ?
Summary
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/102506 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/JRASERVER-66622 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "102506",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102506"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66622"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 7.6.2"
}
]
}
],
"datePublic": "2018-01-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the \"incoming mail\" whitelist setting via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-16T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "102506",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102506"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66622"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-01-11T00:00:00",
"ID": "CVE-2017-16862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_value": "prior to 7.6.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the \"incoming mail\" whitelist setting via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "102506",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102506"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-66622",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-66622"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-16862",
"datePublished": "2018-01-12T14:00:00Z",
"dateReserved": "2017-11-16T00:00:00",
"dateUpdated": "2024-09-16T18:48:43.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14168
Vulnerability from cvelistv5
Published
2020-07-01 01:35
Modified
2024-09-16 18:02
Severity ?
EPSS score ?
Summary
The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-71198 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server and Data Center |
Version: unspecified < 7.13.16 Version: 8.5.0 < unspecified Version: unspecified < 8.5.7 Version: 8.8.0 < unspecified Version: unspecified < 8.8.2 Version: 8.9.0 < unspecified Version: unspecified < 8.9.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71198"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThan": "8.5.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThan": "8.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.9.0",
"versionType": "custom"
},
{
"lessThan": "8.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Man-in-the-Middle (MitM)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T01:35:27",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71198"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-01T00:00:00",
"ID": "CVE-2020-14168",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.16"
},
{
"version_affected": "\u003e=",
"version_value": "8.5.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.7"
},
{
"version_affected": "\u003e=",
"version_value": "8.8.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "8.9.0"
},
{
"version_affected": "\u003c",
"version_value": "8.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Man-in-the-Middle (MitM)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-71198",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-71198"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14168",
"datePublished": "2020-07-01T01:35:27.144694Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-16T18:02:52.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14172
Vulnerability from cvelistv5
Published
2020-07-03 01:40
Modified
2024-09-17 03:53
Severity ?
EPSS score ?
Summary
This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-70940 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 7.13.0 Version: 8.0.0 < unspecified Version: unspecified < 8.5.0 Version: 8.6.0 < unspecified Version: unspecified < 8.8.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70940"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.8.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Template Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-22T16:48:53",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70940"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-04-22T00:00:00",
"ID": "CVE-2020-14172",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.0"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.5.0"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.8.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Template Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70940",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70940"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14172",
"datePublished": "2020-07-03T01:40:11.484562Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T03:53:46.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26069
Vulnerability from cvelistv5
Published
2021-03-22 04:50
Modified
2024-09-17 02:37
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-72010 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Jira Server |
Version: unspecified < 8.5.11 Version: 8.6.0 < unspecified Version: unspecified < 8.13.3 Version: 8.14.0 < unspecified Version: unspecified < 8.15.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-01-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-22T04:50:12",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72010"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-01-21T00:00:00",
"ID": "CVE-2021-26069",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.11"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72010",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72010"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26069",
"datePublished": "2021-03-22T04:50:12.742409Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T02:37:34.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-6531
Vulnerability from cvelistv5
Published
2009-03-26 20:28
Modified
2024-08-07 11:34
Severity ?
EPSS score ?
Summary
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/33084 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.osvdb.org/52707 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/32746 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/47211 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:34:47.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "33084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33084"
},
{
"name": "52707",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/52707"
},
{
"name": "32746",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32746"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09"
},
{
"name": "jira-webwork1-security-bypass(47211)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47211"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka \"WebWork 1 Parameter Injection Hole.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "33084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33084"
},
{
"name": "52707",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/52707"
},
{
"name": "32746",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32746"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09"
},
{
"name": "jira-webwork1-security-bypass(47211)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47211"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6531",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka \"WebWork 1 Parameter Injection Hole.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "33084",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33084"
},
{
"name": "52707",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/52707"
},
{
"name": "32746",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32746"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09"
},
{
"name": "jira-webwork1-security-bypass(47211)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47211"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6531",
"datePublished": "2009-03-26T20:28:00",
"dateReserved": "2009-03-26T00:00:00",
"dateUpdated": "2024-08-07T11:34:47.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-3339
Vulnerability from cvelistv5
Published
2006-07-03 18:00
Modified
2024-08-07 18:23
Severity ?
EPSS score ?
Summary
secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2006/2472 | vdb-entry, x_refsource_VUPEN | |
| http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/27235 | vdb-entry, x_refsource_XF | |
| http://www.osvdb.org/26745 | vdb-entry, x_refsource_OSVDB | |
| http://jira.atlassian.com/browse/JRA-10542 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:23:21.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2006-2472",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"name": "jira-projectid-info-disclosure(27235)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27235"
},
{
"name": "26745",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/26745"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jira.atlassian.com/browse/JRA-10542"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-06-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2006-2472",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"name": "jira-projectid-info-disclosure(27235)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27235"
},
{
"name": "26745",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/26745"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jira.atlassian.com/browse/JRA-10542"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-3339",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2006-2472",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"name": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html",
"refsource": "MISC",
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"name": "jira-projectid-info-disclosure(27235)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27235"
},
{
"name": "26745",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/26745"
},
{
"name": "http://jira.atlassian.com/browse/JRA-10542",
"refsource": "CONFIRM",
"url": "http://jira.atlassian.com/browse/JRA-10542"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-3339",
"datePublished": "2006-07-03T18:00:00",
"dateReserved": "2006-07-03T00:00:00",
"dateUpdated": "2024-08-07T18:23:21.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20100
Vulnerability from cvelistv5
Published
2020-02-12 14:07
Modified
2024-09-17 00:40
Severity ?
EPSS score ?
Summary
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.tenable.com/security/research/tra-2020-06 | x_refsource_MISC | |
| https://ecosystem.atlassian.net/browse/APL-1390 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-70607 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Application Links |
Version: unspecified < 5.4.21 Version: 6.0.0 < unspecified Version: unspecified < 6.0.12 Version: 6.1.0 < unspecified Version: unspecified < 6.1.2 Version: 7.0.0 < unspecified Version: unspecified < 7.0.2 Version: 7.1.0 < unspecified Version: unspecified < 7.1.3 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Application Links",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "5.4.21",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.0.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T14:07:54",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-02-03T00:00:00",
"ID": "CVE-2019-20100",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Application Links",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.4.21"
},
{
"version_affected": "\u003e=",
"version_value": "6.0.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.12"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.0.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.1.0"
},
{
"version_affected": "\u003c",
"version_value": "7.1.3"
}
]
}
},
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.7.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2020-06",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"name": "https://ecosystem.atlassian.net/browse/APL-1390",
"refsource": "MISC",
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70607",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20100",
"datePublished": "2020-02-12T14:07:54.434471Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-17T00:40:31.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14998
Vulnerability from cvelistv5
Published
2019-09-11 13:56
Modified
2024-09-16 22:51
Severity ?
EPSS score ?
Summary
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69791 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69791"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via \"cookie tossing\" a CSRF cookie from a subdomain of a Jira instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "N/A",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-16T18:06:11",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69791"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-09-10T00:00:00",
"ID": "CVE-2019-14998",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.4.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via \"cookie tossing\" a CSRF cookie from a subdomain of a Jira instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "N/A"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69791",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-69791"
},
{
"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835",
"refsource": "MISC",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-14998",
"datePublished": "2019-09-11T13:56:26.253836Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T22:51:07.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11585
Vulnerability from cvelistv5
Published
2019-08-23 13:49
Modified
2024-09-16 20:32
Severity ?
EPSS score ?
Summary
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/JRASERVER-69784 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.014Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69784"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.13.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-08-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T13:49:47",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69784"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-08-13T00:00:00",
"ID": "CVE-2019-11585",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.13.6"
},
{
"version_affected": "\u003e=",
"version_value": "8.0.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.3"
},
{
"version_affected": "\u003e=",
"version_value": "8.3.0"
},
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-69784",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-69784"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-11585",
"datePublished": "2019-08-23T13:49:47.527781Z",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-09-16T20:32:20.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2008-01-03 23:46
Modified
2024-11-21 00:40
Severity ?
Summary
The Setup Wizard in Atlassian JIRA Enterprise Edition before 3.12.1 does not properly restrict setup attempts after setup is complete, which allows remote attackers to change the default language.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:enterprise:*:*:*:*:*",
"matchCriteriaId": "204318E0-AA2F-4DCD-9CCE-73A2F2DD838D",
"versionEndIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Setup Wizard in Atlassian JIRA Enterprise Edition before 3.12.1 does not properly restrict setup attempts after setup is complete, which allows remote attackers to change the default language."
},
{
"lang": "es",
"value": "El Asistente de Instalaci\u00f3n de Atlassian JIRAEnterprise Edition anterior a 3.12.1 no restringe adecuadamente los intentos de instalaci\u00f3n una vez que la instalaci\u00f3n se ha completado, lo cual permite a atacantes remotos cambiar el lenguaje por defecto."
}
],
"id": "CVE-2007-6619",
"lastModified": "2024-11-21T00:40:36.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-01-03T23:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/42770"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27954"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27095"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/42770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27954"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27095"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 05:15
Modified
2024-11-21 06:26
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72939 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72939 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "946B9E6E-8686-47AD-AB4B-299ECF9573BE",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0827EA48-7527-40C3-B0EC-29FEA4912884",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D739434B-2338-446B-BFA3-B84057629DB0",
"versionEndExcluding": "8.20.2",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "518AFD51-A388-4687-B8D7-3961E0DC9999",
"versionEndExcluding": "8.20.2",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos inyectar HTML o JavaScript arbitrarios a trav\u00e9s de una vulnerabilidad de Cross-Site Scripting (XSS) en el mensaje de error /secure/admin/ImporterFinishedPage.jspa. Las versiones afectadas son anteriores a la versi\u00f3n 8.13.12, y desde la versi\u00f3n 8.14.0 hasta la versi\u00f3n 8.20.2."
}
],
"id": "CVE-2021-41304",
"lastModified": "2024-11-21T06:26:00.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-26T05:15:06.857",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72939"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-06 01:15
Modified
2024-11-21 06:30
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-73067 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-73067 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CCE06B7-9446-49F4-8B23-4544506E5143",
"versionEndExcluding": "8.13.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFC89A4F-566E-4CF3-962C-5F0985A2A9BF",
"versionEndExcluding": "8.13.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BDD3421F-7C67-4A9E-BAE2-1FD74F921BB9",
"versionEndExcluding": "8.20.3",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9025C857-EC16-431D-B3F9-4F10BE17C8A4",
"versionEndExcluding": "8.20.3",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos con privilegios de administrador ejecutar c\u00f3digo arbitrario por medio de una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota (RCE) en la funcionalidad Email Templates. Este problema evita la correcci\u00f3n de https://jira.atlassian.com/browse/JSDSERVER-8665. Las versiones afectadas son anteriores a versi\u00f3n 8.13.15, y desde versi\u00f3n 8.14.0 hasta 8.20.3."
}
],
"id": "CVE-2021-43947",
"lastModified": "2024-11-21T06:30:03.763",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-01-06T01:15:07.917",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73067"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73067"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-30 16:29
Modified
2024-11-21 04:42
Severity ?
Summary
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69246 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69246 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DB85D56-71EA-478E-95CF-8CCD86367103",
"versionEndExcluding": "7.13.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D8211E1-DD5C-4518-894D-6F62B9C72B1A",
"versionEndExcluding": "8.0.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check."
},
{
"lang": "es",
"value": "El recurso BrowseProjects.jspa en Jira anterior a la versi\u00f3n 7.13.2 y desde la versi\u00f3n 8.0.0 anterior a la versi\u00f3n 8.0.2 permite a los atacantes remotos observar informaci\u00f3n de proyectos archivados por a una falta de comprobaci\u00f3n de autorizaci\u00f3n."
}
],
"id": "CVE-2019-3399",
"lastModified": "2024-11-21T04:42:01.927",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-30T16:29:00.683",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69246"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-15 00:15
Modified
2024-11-21 05:29
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72064 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72064 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C3C2792-0AEC-451D-85B0-169F8513F1DD",
"versionEndExcluding": "8.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "004AF107-ADF0-4DB8-9B53-11A9BBD5D225",
"versionEndExcluding": "8.15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos no autenticados visualizar opciones de campo personalizadas por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el endpoint /rest/api/2/customFieldOption/.\u0026#xa0;Las versiones afectadas son anteriores a la versi\u00f3n 8.15.0"
}
],
"id": "CVE-2020-36237",
"lastModified": "2024-11-21T05:29:07.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-15T00:15:12.557",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72064"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72064"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-13 18:29
Modified
2024-11-21 04:01
Severity ?
Summary
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/107023 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-68614 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/107023 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-68614 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1440CD2A-A7E4-45BC-A2B3-261158582705",
"versionEndExcluding": "7.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D15A1BAF-2266-47C1-8496-8549A002F923",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting."
},
{
"lang": "es",
"value": "El gadget de widget de etiquetas en Atlassian Jira, en versiones anteriores a la 7.6.11 y desde la versi\u00f3n 7.7.0 hasta antes de la 7.13.1, permite que los atacantes remotos inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad Cross-Site Scripting (XSS) en el renderizado del contenido recuperado de una ubicaci\u00f3n de URL que podr\u00eda ser manipulada por la opci\u00f3n de preferencias de widget up_projectid."
}
],
"id": "CVE-2018-20232",
"lastModified": "2024-11-21T04:01:08.053",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-13T18:29:00.620",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107023"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68614"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68614"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-06 03:15
Modified
2024-11-21 04:38
Severity ?
Summary
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70543 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70543 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | 8.6.0 | |
| atlassian | jira_server | * | |
| atlassian | jira_server | 8.6.0 | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F460A680-2B63-426A-8A84-4C82FBF1F9CC",
"versionEndExcluding": "7.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ED1DE8F-9111-4C97-ADBB-2A535AAC5888",
"versionEndExcluding": "8.5.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:8.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F5ACF736-C6CE-4914-89AD-097CE5F2C6D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD9BB0B-AA95-4E60-85A0-2C026D3AE84F",
"versionEndExcluding": "8.5.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:8.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C6AD4A-3055-438D-A12F-947DA304896D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4533787F-FCA4-400D-9449-8B773B25AA52",
"versionEndExcluding": "7.13.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
},
{
"lang": "es",
"value": "Las propiedades de comentarios en Atlassian Jira Server y Data Center antes de la versi\u00f3n 7.13.12, desde versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.5.4 y versi\u00f3n 8.6.0 antes de la versi\u00f3n 8.6.1, permiten a atacantes remotos hacer comentarios sobre un ticket para el que no tienen permisos de comentarios por medio de un bug de control de acceso roto."
}
],
"id": "CVE-2019-20106",
"lastModified": "2024-11-21T04:38:04.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-06T03:15:10.200",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70543"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70543"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-12 04:15
Modified
2024-11-21 05:02
Severity ?
Summary
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71652 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71652 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | 8.13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B153C73-A49A-4B82-BAF2-471E899B9281",
"versionEndExcluding": "8.5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA08312D-080E-4D50-ADE8-5103DACEE710",
"versionEndExcluding": "8.12.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:8.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3842F70C-EC21-479E-B1EE-0AF7989068E1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server, permiten a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) en los archivos de exportaci\u00f3n de filtros de problemas de Jira. Las versiones afectadas son anteriores a 8.5.9, desde versi\u00f3n 8.6.0 anteriores a 8.12.3 y desde versi\u00f3n 8.13.0 anteriores a 8.13.1"
}
],
"id": "CVE-2020-14184",
"lastModified": "2024-11-21T05:02:49.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-12T04:15:12.077",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71652"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71652"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-14 05:15
Modified
2024-11-21 06:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72237 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72237 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C3A53C-7B54-4254-B323-BA538A00800B",
"versionEndExcluding": "8.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "513E5201-FFA7-494F-BE84-BADA75070E0F",
"versionEndExcluding": "8.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application\u0027s availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0."
},
{
"lang": "es",
"value": "Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes no autenticados remotos impactar en la disponibilidad de la aplicaci\u00f3n por medio de una vulnerabilidad de Denegaci\u00f3n de Servicio (DoS) en el endpoint /rest/gadget/1.0/createdVsResolved/generate. Las versiones afectadas son anteriores a 8.16.0"
}
],
"id": "CVE-2021-39123",
"lastModified": "2024-11-21T06:18:37.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-09-14T05:15:09.993",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72237"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-06 13:29
Modified
2024-11-21 03:19
Severity ?
Summary
The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103765 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67075 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103765 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67075 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F243B1-7B91-4254-8F09-A516329EE956",
"versionEndExcluding": "7.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields."
},
{
"lang": "es",
"value": "El recurso searchrequest-xml en Atlassian Jira, en versiones anteriores a la 7.6.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a trav\u00e9s de varios campos."
}
],
"id": "CVE-2017-18098",
"lastModified": "2024-11-21T03:19:21.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-06T13:29:00.327",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103765"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103765"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67075"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71197 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71197 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C37B767-CBE4-4E98-9FB8-90020424EFE4",
"versionEndExcluding": "7.13.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75CC108C-2D1D-4BE0-B0F2-3013E31605C4",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "547F1523-AD76-4557-820B-7CB0AD0F9659",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74AEEBB1-3786-457D-891D-926DB7A4FDBB",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEB10566-CCFE-4C65-8AB7-C11BD071AD6D",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA7A5733-8237-44A3-B6EA-06E6855A89DD",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29550345-AC18-4BA4-9632-7750F21CCD58",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19A3E98A-DE12-41BB-BF8A-B7D20EC46614",
"versionEndExcluding": "7.13.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
},
{
"lang": "es",
"value": "El recurso MessageBundleResource en Jira Server y Data Center versiones anteriores a 7.13.4, desde versiones 8.5.0 anteriores a 8.5.5, desde versiones 8.8.0 anteriores a 8.8.2 y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos impactar la disponibilidad de la aplicaci\u00f3n por medio de una vulnerabilidad de Denegaci\u00f3n de Servicio (DoS)"
}
],
"id": "CVE-2020-14167",
"lastModified": "2024-11-21T05:02:47.233",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:11.897",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71197"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71197"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-03 04:15
Modified
2024-11-21 06:26
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72801 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72801 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F51358C-0AB4-439B-A646-400256278BA3",
"versionEndExcluding": "8.19.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9EC0B21-4012-445C-AF1B-30321B44C46A",
"versionEndExcluding": "8.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a un atacante remoto al que le ha sido revocado el acceso a Jira Service Management habilitar y deshabilitar Issue Collectors en proyectos de Jira Service Management por medio de una vulnerabilidad de Autenticaci\u00f3n Inapropiada en el endpoint /secure/ViewCollectors. Las versiones afectadas son anteriores a versi\u00f3n 8.19.1"
}
],
"id": "CVE-2021-41312",
"lastModified": "2024-11-21T06:26:01.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-11-03T04:15:09.127",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72801"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71184 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71184 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01B6B068-1EB0-4FA8-8E6B-C3A5385FA8E5",
"versionEndExcluding": "8.8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7C8EBC9-AA40-4C23-8D79-77249D278409",
"versionEndExcluding": "8.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
},
{
"lang": "es",
"value": "El recurso del editor WYSIWYG en Jira Server and Data Center versiones anteriores a 8.8.2, permite a atacantes remotos inyectar nombres HTML o JavaScript arbitrarios por medio de una vulnerabilidad de tipo Cross Site Scripting (XSS) al pegar un c\u00f3digo javascript en el campo del editor"
}
],
"id": "CVE-2020-14164",
"lastModified": "2024-11-21T05:02:46.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:11.677",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71184"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71184"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-22 05:15
Modified
2024-11-21 05:55
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72029 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72029 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09CBD196-0202-4A65-BC01-8DD009159343",
"versionEndExcluding": "8.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD26E1FA-D472-40ED-B8BC-876F2A7EF3FA",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "121B25D7-31B4-4A85-BA57-5FE0DE58F4F4",
"versionEndExcluding": "8.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5814BDF-AF93-4440-AFEA-75AADFA95EA7",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1."
},
{
"lang": "es",
"value": "Versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos evadir una protecci\u00f3n detr\u00e1s del firewall de los recursos app-linked por medio de una vulnerabilidad de Autenticaci\u00f3n Rota en el recurso de gadget \"makeRequest\".\u0026#xa0;Las versiones afectadas son anteriores a 8.13.3 y desde versi\u00f3n 8.14.0 anteriores a 8.14.1"
}
],
"id": "CVE-2021-26070",
"lastModified": "2024-11-21T05:55:48.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-22T05:15:13.257",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72029"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-04-20 15:30
Modified
2024-11-21 01:13
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | 3.12 | |
| atlassian | jira | 3.12.1 | |
| atlassian | jira | 3.12.2 | |
| atlassian | jira | 3.12.3 | |
| atlassian | jira | 3.13 | |
| atlassian | jira | 3.13.1 | |
| atlassian | jira | 3.13.2 | |
| atlassian | jira | 3.13.3 | |
| atlassian | jira | 3.13.4 | |
| atlassian | jira | 3.13.5 | |
| atlassian | jira | 4.0 | |
| atlassian | jira | 4.0.1 | |
| atlassian | jira | 4.0.2 | |
| atlassian | jira | 4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DEA72E9E-ED89-4CD1-AF2F-3C2060E115FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "67D2DF18-C072-47EF-9F99-3FBC3BD0B46A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "618C3DD0-2AE2-4188-8BC2-69365594ADA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "49E76A26-4A32-4D17-AE09-DAA99AAA49D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "59835FFB-BB1C-4403-9CEC-DFC31F1A4D10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD7160D-BB0D-433A-8C7B-83BC311F53A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "74F52C0A-6567-4466-A20C-9BC457E56592",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.3:*:*:*:*:*:*:*",
"matchCriteriaId": "547EF015-960F-43DB-8985-8BE65B14230A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4931F747-FA7D-42BF-B71F-277EE38A29C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.5:*:*:*:*:*:*:*",
"matchCriteriaId": "856597BE-1407-4587-B591-BD8B5B097B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6039B692-0E90-428E-B953-D1F21AC48575",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EEED2354-51E8-4BF0-A07E-C70E14A8D79A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "86E22F6B-1CB8-4BAA-85EE-9B5FC4FD7635",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B07F838-5D36-4CEB-9579-3AB8BD67CCB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Atlassian JIRA v3.12 hasta la v4.1. Permiten a usuarios remotos inyectar codigo de script web o c\u00f3digo HTML de su elecci\u00f3n a trav\u00e9s de el par\u00e1metro (1) \"element\" (elemento) o (2) \"defaultColor\" (color por defecto) a la p\u00e1gina de \"Colour Picker\" (selecci\u00f3n de colores); el (3) par\u00e1metro \"formName\", (4) par\u00e1metro \"element\", o (5) campo \"full name\" (nombre completo) a la p\u00e1gina \"User Picker\" (selecci\u00f3n de usuario); el (6) par\u00e1metro formName, (7) par\u00e1metro \"element\", o (8) campo \"group name\" (nombre de grupo) a la p\u00e1gina \"Group Picker\" (selecci\u00f3n de grupo); el (9) par\u00e1metro announcement_preview_banner_st de componentes sin especificar, relacionados con la p\u00e1gina \"Announcement Banner Preview\" (vista previa de anuncio); vectores sin especificar relacionados con las p\u00e1ginas (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, o (14) cleancommentspam.jsp; el (15) par\u00e1metro portletKey de runportleterror.jsp; la (16) URI de issuelinksmall.jsp; el (17) par\u00e1metro afterURL de screenshot-redirecter.jsp; o la (18) cabecera HTTP Referrer de 500page.jsp, tal como se ha explotado activamente en Abril del 2010."
}
],
"id": "CVE-2010-1164",
"lastModified": "2024-11-21T01:13:46.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-04-20T15:30:00.507",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-20994"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/39353"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/39485"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-20994"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/39353"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/39485"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-14 05:15
Modified
2024-11-21 06:18
Severity ?
Summary
The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72761 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72761 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C3A53C-7B54-4254-B323-BA538A00800B",
"versionEndExcluding": "8.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "513E5201-FFA7-494F-BE84-BADA75070E0F",
"versionEndExcluding": "8.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request."
},
{
"lang": "es",
"value": "La funcionalidad de tipo Cross-Site Request Forgery (CSRF) failure retry de Atlassian Jira Server y Data Center versiones anteriores a 8.16.0, permite a atacantes remotos que son capaces de enga\u00f1ar a un usuario para que reintente una petici\u00f3n para omitir la protecci\u00f3n de tipo CSRF y reproducir una petici\u00f3n dise\u00f1ada"
}
],
"id": "CVE-2021-39124",
"lastModified": "2024-11-21T06:18:38.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-14T05:15:10.080",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72761"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72761"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-13 17:15
Modified
2024-11-21 01:37
Severity ?
Summary
Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/21052 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/21052 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | greenhopper | * | |
| atlassian | jira | 4.4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:greenhopper:*:*:*:*:*:*:*:*",
"matchCriteriaId": "890F8B89-7F7C-4B2D-A166-1D3890E2955E",
"versionEndExcluding": "5.9.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "395E3ED3-3DA5-40A6-B932-36F9BF13FD76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XSS almacenado del archivo UpdateFieldJson.jspa en JIRA versi\u00f3n 4.4.3 y GreenHopper versiones anteriores a 5.9.8, permite a un atacante inyectar c\u00f3digo de script arbitrario."
}
],
"id": "CVE-2012-1500",
"lastModified": "2024-11-21T01:37:06.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-13T17:15:22.007",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/21052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://web.archive.org/web/20121014055829/http://www.cloudscan.me/2012/09/cve-2012-1500-ghs-5375-ghs-5642.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/21052"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-22 18:29
Modified
2024-11-21 04:49
Severity ?
Summary
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/108460 | Broken Link | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69241 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/108460 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69241 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F53E99-E523-46BC-BB9C-2C1088D30E69",
"versionEndExcluding": "7.13.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2468233-97B0-4673-A2EA-5787CFD56097",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2806E160-A601-4276-A3F2-8F73DA3AE3E0",
"versionEndExcluding": "8.1.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."
},
{
"lang": "es",
"value": "CachingResourceDownloadRewriteRule class in Jira antes versi\u00f3n 7.13.4, y desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.0.4, y desde la versi\u00f3n 8.1.0 antes versi\u00f3n 8.1.1, permite a los atacantes remotos acceder a los archivos en el webroot de Jira bajo el directorio META-INF mediante una comprobaci\u00f3n lax path."
}
],
"id": "CVE-2019-8442",
"lastModified": "2024-11-21T04:49:54.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-22T18:29:02.067",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/108460"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/108460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69241"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-05-22 15:55
Modified
2024-11-21 01:39
Severity ?
Summary
The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tm_software:tempo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB50394-E845-4289-AA14-C00297082069",
"versionEndIncluding": "6.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8A4ECAC4-445B-4774-97E2-0E80DD26931A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5DF54428-E8AB-4E0C-AC01-84006DB7DEB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4CB5C44B-2007-4867-B382-778ECD60B07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "406F1724-FB6A-4567-AACF-EF00F11247EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E5416C9A-0322-4E27-8E0D-ACB35A1CCC44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DE6882C3-6196-4627-ADEF-1415F5E39F55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3496377F-EE1E-4EC6-A20E-8127E623E8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "022D3DF0-1BA4-4B11-9F38-E82535852A8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7150D122-12F1-4700-B787-8E1D95F860CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2D5BC919-3A24-4B3D-A0AF-3B5522E2F399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "30C58535-2AD1-4199-92CC-27E6659C0E4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "485A3879-8DD1-4D0B-A927-F8D0B6AF4BE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A8730BAB-C29D-4FAA-BCAB-7483EBB3DD8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "23B02AE6-D121-4CF4-AA27-7804568B3BDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4D919B-B553-465D-981F-70582CF19085",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D0AD7F90-F678-4247-8E42-88487610DD63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "52C223C4-AD27-4D7C-9A49-4561DF0C6177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B700907-A927-4E3C-88A7-18B832F3D206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5D0EF883-4B41-468A-80DC-C82D350F1B76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A7C78708-BC96-4ABA-A8FD-E128E84E5EE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A696CC2B-9576-40C5-93E1-B6B9C680A7EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4E154941-85BC-45E6-AB89-D9B7C7DD4698",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21A839A4-8064-49FA-A78D-5094F957A0A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3546E40E-E222-4D0E-A6B4-CC1E868F2E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E666ADD5-AFE3-42D0-ADB1-D13611AAF7FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B8D42E30-DC65-4CCC-81E5-021265CC980A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3A8DBAED-975D-4582-B7B9-8638B61785DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D66B4734-890D-4F3D-888C-F760C228265B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF51F9F-5FAF-4A51-93A4-B8AE4EFA6678",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "60ADCA86-451A-4755-9EA4-BA56FA40BFFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F51E4187-C8A8-4901-874B-F5FBC22C6C3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "77826380-60EB-4BD3-9F2D-5B6225357C88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C1EA4541-9C99-4C33-BF1B-869396839AB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F4A3D989-553E-4A83-9385-29726AB5329F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE70D8E-4346-47E4-AFE2-4D8E11E03D6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A833804A-C11E-40AE-8288-35B10EE44B57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "070991DB-443C-4EE8-B073-CE8241B2F909",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.1.1:jira42:*:*:*:*:*:*",
"matchCriteriaId": "00000281-FDC3-4061-994A-2198988B3A7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B6AC158-49C0-4B03-AF6D-04D1500CB2E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.1-jira42:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E7EA8D-7575-4B60-BE52-96E5FDF25AC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.2:jira42:*:*:*:*:*:*",
"matchCriteriaId": "2F19625C-C38E-4256-A67A-F0D29B96C066",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.3:jira42:*:*:*:*:*:*",
"matchCriteriaId": "34E764E0-194C-472B-8437-0BCDEB135411",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.4:jira42:*:*:*:*:*:*",
"matchCriteriaId": "981A4F7B-7947-4CDC-A771-BD054CE4F118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.5:jira42:*:*:*:*:*:*",
"matchCriteriaId": "5523392F-E133-45FF-B2EA-92FED4504C7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.6:jira42:*:*:*:*:*:*",
"matchCriteriaId": "72F72EBF-5DE6-4BCA-91C8-872D16E38FAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.2.7:jira42:*:*:*:*:*:*",
"matchCriteriaId": "A35A73DC-F17F-48CA-B454-724A1EADC6B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.3.1:jira42:*:*:*:*:*:*",
"matchCriteriaId": "F6FB5054-BECD-4341-BA05-6805F5B4224B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.4:jira42:*:*:*:*:*:*",
"matchCriteriaId": "BA3E6A01-4BB5-4891-AB31-102C45884756",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA35D2-A969-4202-8449-020630E8CC0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A2C42F73-FFA0-4116-B2CA-D0A8554A6315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B5AD19BB-2640-4919-8EB9-06612E45D527",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:7.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F2708B03-8B48-4315-9372-04A1E5EBB15E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:7.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "81CA7C8D-4009-4455-9235-268E4C76632C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "51037974-8FD5-4B4E-A92F-8E4EEA58B093",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo6.3.0:jira42:*:*:*:*:*:*:*",
"matchCriteriaId": "779DD283-2C65-48B4-AD41-3B68BB4B0240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tm_software:tempo6.3.2:jira42:*:*:*:*:*:*:*",
"matchCriteriaId": "3C802033-FC5A-470D-BB35-E96144B11707",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F8CAC456-22A9-4D0B-9642-96123EE9206A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors."
},
{
"lang": "es",
"value": "El complemento \"Software TM Tempo\" para Atlassian JIRA antes de v6.4.3.1 , v6.5.x antes de v6.5.0.2 y v7.x antes de v7.0.3 no tiene restringe correctamente las capacidades de los analizadores XML de terceros, lo que permite provocar una denegaci\u00f3n de servicio (por excesivo consumo de recursos) a usuarios remotos autenticados a trav\u00e9s de vectores no especificados.\r\n"
}
],
"id": "CVE-2012-2927",
"lastModified": "2024-11-21T01:39:57.370",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-05-22T15:55:02.900",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81993"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/49166"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/49166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-18 18:29
Modified
2024-11-21 03:17
Severity ?
Summary
The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102732 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66623 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102732 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66623 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "477C1D5A-7CB7-44C9-B6B9-6686D6D7BBFE",
"versionEndExcluding": "7.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter."
},
{
"lang": "es",
"value": "El gadget PieChart en Atlassian Jira en versiones anteriores a la 7.5.3 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) mediante el nombre de un proyecto o filtro."
}
],
"id": "CVE-2017-16863",
"lastModified": "2024-11-21T03:17:07.453",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-18T18:29:00.340",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102732"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66623"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66623"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-06 13:29
Modified
2024-11-21 03:19
Severity ?
Summary
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103764 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67076 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103764 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67076 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F243B1-7B91-4254-8F09-A516329EE956",
"versionEndExcluding": "7.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card."
},
{
"lang": "es",
"value": "El recurso de importaci\u00f3n de tableros de Trello en Atlassian Jira, en versiones anteriores a la 7.6.1, permite que atacantes remotos que puedan convencer a un administrador de Jira para que importe su tablero de Trello inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad de Cross-Site Scripting (XSS) en el t\u00edtulo de una tarjeta de Trello."
}
],
"id": "CVE-2017-18097",
"lastModified": "2024-11-21T03:19:21.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-06T13:29:00.267",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103764"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103764"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67076"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-05-22 15:55
Modified
2024-11-21 01:39
Severity ?
Summary
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | bamboo | * | |
| atlassian | bamboo | * | |
| atlassian | confluence | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crucible | * | |
| atlassian | crucible | * | |
| atlassian | crucible | * | |
| atlassian | fisheye | * | |
| atlassian | fisheye | * | |
| atlassian | fisheye | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C1EA6F7-CF4A-43C8-AD67-4A3E97D7B0BC",
"versionEndExcluding": "3.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B53F201-032F-4672-A271-8D424B939775",
"versionEndExcluding": "3.4.5",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4059F4D-831C-467C-91BC-B49BB7A5487E",
"versionEndExcluding": "3.5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9718C5D3-364A-4BD0-B60D-5FCEA8B1BAFF",
"versionEndExcluding": "4.0.7",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "121D6C9B-9746-423C-9A0A-13697F7B490B",
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB8E3563-1CF4-4665-8CD3-CAEFFBB6B3B6",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55437340-1D44-41C7-B82A-6E6473C17B62",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68C5F90D-1AB3-409E-9A84-8EF42735BCD9",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C99026A0-1B4A-4CF7-B7E5-DC1231302CEC",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28E820F2-4E46-4744-9EE9-C9CDEF78B8D7",
"versionEndExcluding": "2.4.1",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD4C65C4-2C22-48F2-B4F6-D40915374FF1",
"versionEndExcluding": "2.5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "263668EC-0168-4FC2-82E3-6606269AE372",
"versionEndExcluding": "2.6.8",
"versionStartIncluding": "2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B62B11D8-BC78-431B-91D4-F6CE14E0C7D0",
"versionEndExcluding": "2.7.12",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B117D3-9D05-4192-9A40-B4610D636DE7",
"versionEndExcluding": "2.5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3768A3A7-B5F8-46C7-A932-1C779C167216",
"versionEndExcluding": "2.6.8",
"versionStartIncluding": "2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4779A8F0-9CDB-46F7-9EB6-B155187218EB",
"versionEndExcluding": "2.7.12",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20F692D8-2A86-403D-82C6-363C9798BD3A",
"versionEndExcluding": "5.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
},
{
"lang": "es",
"value": "Atlassian JIRA antes de v5.0.1; Confluence antes de v3.5.16, v4.0 antes de v4.0.7, y v4.1 antes del v4.1.10; \u0027FishEye and Crucible\u0027 antes de v2.5.8, v2.6 antes de v2.6.8, y v2.7 antes de v2.7.12; Bamboo antes de v3.3.4 y v3.4.x antes de v3.4.5, y Crowd antes de v2.0.9, v2.1 antes de v2.1.2, v2.2 antes de v2.2.9, v2.3 antes de v2.3.7 y v2.4 antes de v2.4.1 no restringen correctamente las capacidades de los analizadores XML de de terceros, lo que permite leer ficheros de su elecci\u00f3n o causar una denegaci\u00f3n de servicio (por excesivo consumo de recursos) a atacantes remotos a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-2926",
"lastModified": "2024-11-21T01:39:57.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2012-05-22T15:55:02.853",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/49146"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/49146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-15 03:15
Modified
2024-11-21 06:30
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-73170 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-73170 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41483020-6F56-4029-82E4-F1A4923EB5CA",
"versionEndExcluding": "8.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E28AEDF-EC6A-4DC0-ADDF-81EDB5779FC9",
"versionEndExcluding": "8.20.5",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27FAE5C6-CDD8-4658-A50E-91C866CDE9B2",
"versionEndExcluding": "8.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0B3423A-909E-4FD2-9036-6962E1EC0E1D",
"versionEndExcluding": "8.20.5",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a los atacantes remotos no autentificados cambiar la configuraci\u00f3n de la retenci\u00f3n de hilos y la monitorizaci\u00f3n de la CPU a trav\u00e9s de una vulnerabilidad de falsificaci\u00f3n de solicitud de sitio cruzado (CSRF) en el punto final /secure/admin/ViewInstrumentation.jspa. Las versiones afectadas son anteriores a la versi\u00f3n 8.13.16, y desde la versi\u00f3n 8.14.0 hasta la 8.20.5"
}
],
"id": "CVE-2021-43953",
"lastModified": "2024-11-21T06:30:04.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-15T03:15:07.497",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73170"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-23 13:29
Modified
2024-11-21 03:47
Severity ?
Summary
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/105751 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-68139 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105751 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-68139 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "25E9DDE1-F33F-4F65-A521-807D4F09C0AE",
"versionEndExcluding": "7.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
"versionEndExcluding": "7.9.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C568973F-5079-49ED-928D-7F11C842CF4B",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "551A5667-1184-4E3D-9AA7-90C8D18590C3",
"versionEndExcluding": "7.11.3",
"versionStartIncluding": "7.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "078CC169-BA97-4F89-A9AE-05E21FC867CA",
"versionEndExcluding": "7.12.3",
"versionStartIncluding": "7.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0A81285-A452-4AFE-94BE-3B27014535A3",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user\u0027s Cross-site request forgery (CSRF) token through an open redirect vulnerability."
},
{
"lang": "es",
"value": "El recurso XsrfErrorAction en Atlassian Jira en versiones anteriores a la 7.6.9, desde la versi\u00f3n 7.7.0 anterior a la 7.7.5, desde la versi\u00f3n 7.8.0 anterior a la 7.8.5, desde la versi\u00f3n 7.9.0 anterior a la 7.9.3, desde la versi\u00f3n 7.10.0 anterior a la 7.10.3, desde la versi\u00f3n 7.11.0 anterior a la 7.11.3, desde la versi\u00f3n 7.12.0 anterior a la 7.12.3 y antes de la versi\u00f3n 7.13.1 permite que atacantes remotos obtengan el token Cross-Site Request Forgery (CSRF) de un usuario a trav\u00e9s de una vulnerabilidad de redirecci\u00f3n abierta."
}
],
"id": "CVE-2018-13401",
"lastModified": "2024-11-21T03:47:01.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-23T13:29:03.040",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68139"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68139"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-30 03:15
Modified
2024-11-21 04:38
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70856 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70856 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75B4AF57-1A42-49D9-96B9-704B74ADA9B5",
"versionEndExcluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B16EE52-5990-4816-A575-D6C993FF123D",
"versionEndExcluding": "8.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0."
},
{
"lang": "es",
"value": "Las versiones afectadas del servidor y centro de datos Atlassian Jira permiten a los atacantes remotos inyectar HTML o JavaScript arbitrarios a trav\u00e9s de una vulnerabilidad de escritura en sitios cruzados (XSS) en la caracter\u00edstica de configuraci\u00f3n del proyecto. Las versiones afectadas son anteriores a la versi\u00f3n 8.3.0"
}
],
"id": "CVE-2019-20416",
"lastModified": "2024-11-21T04:38:25.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-30T03:15:09.993",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70856"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70856"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-22 18:29
Modified
2024-11-21 04:42
Severity ?
Summary
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69243 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69243 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAAD6CB-BAF7-4FE4-BB84-F7614F28AEEB",
"versionEndExcluding": "7.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6E81B95-7F2A-4347-A865-703EE11516DC",
"versionEndExcluding": "8.1.1",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter."
},
{
"lang": "es",
"value": "ConfigurePortalPages.jspa resource in Jira antes versi\u00f3n 7.13.3 y desde la versi\u00f3n 8.0.0 antes versi\u00f3n 8.1.1, permite a los atacantes remotos inyectar HTML o JavaScript arbitrarios mediante una vulnerabilidad de tipo cross-site scripting (XSS) en el par\u00e1metro searchOwnerUserName."
}
],
"id": "CVE-2019-3402",
"lastModified": "2024-11-21T04:42:02.260",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-22T18:29:00.787",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69243"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69243"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-26 21:00
Modified
2024-11-21 00:56
Severity ?
Summary
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/33084 | Vendor Advisory | |
| cve@mitre.org | http://www.osvdb.org/52707 | Broken Link | |
| cve@mitre.org | http://www.securityfocus.com/bid/32746 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/47211 | VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/33084 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.osvdb.org/52707 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/32746 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/47211 | VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D496B15-7014-4024-B0F2-F7FA15C67190",
"versionEndExcluding": "3.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka \"WebWork 1 Parameter Injection Hole.\""
},
{
"lang": "es",
"value": "La la aplicaci\u00f3n ebWork 1 web framework en Atlassian JIRA v3.13.2, permite a atacantes remotos invocar los m\u00e9todos p\u00fablicos de JIRA a trav\u00e9s de una URL manipulada en la llamada al m\u00e9todo. Tambi\u00e9n conocido como \"WebWork 1 Parameter Injection Hole.\""
}
],
"id": "CVE-2008-6531",
"lastModified": "2024-11-21T00:56:46.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-03-26T21:00:00.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33084"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/52707"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/32746"
},
{
"source": "cve@mitre.org",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47211"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-12-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/52707"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/32746"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47211"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-09 13:16
Modified
2024-11-21 02:06
Severity ?
Summary
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C78C5AC-FEB7-4049-B922-3C7413870170",
"versionEndIncluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B83446EB-1A2B-4803-9D2A-DBF37A99C96C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F5989726-B934-4FF1-AB54-7DC77AC2C6EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D910A750-B5AB-48F1-9A33-0895901E0522",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en el plugin Issue Collector en Atlassian JIRA anterior a 6.0.4 permite a atacantes remotos crear archivos arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"evaluatorSolution": "Per: https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26\n\n\"Issue 1: Path traversal in JIRA Issue Collector plugin (Windows only)\"",
"id": "CVE-2014-2314",
"lastModified": "2024-11-21T02:06:03.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-09T13:16:57.130",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/32725"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/32725"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2024-11-21 02:55
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "009D0E80-6F30-43A1-99F7-B7DE7A69AFA2",
"versionEndIncluding": "7.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en includes/decorators/global-translations.jsp en Atlassian JIRA en versiones anteriores a 7.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del encabezado HTTP Host."
}
],
"id": "CVE-2016-6285",
"lastModified": "2024-11-21T02:55:48.630",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:00.330",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Jan/41"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95913"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRA-61888?src=confmacro\u0026_ga=1.139403892.63283854.1485351777"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/140548/Atlassian-Jira-7.1.7-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2017/Jan/41"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95913"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://confluence.atlassian.com/adminjira/jira-platform-releases/jira-7-2-x-platform-release-notes#JIRA7.2.xplatformreleasenotes-7-2-2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRA-61888?src=confmacro\u0026_ga=1.139403892.63283854.1485351777"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-18 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102744 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66643 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102744 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66643 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F243B1-7B91-4254-8F09-A516329EE956",
"versionEndExcluding": "7.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities."
},
{
"lang": "es",
"value": "Jira-importers-plugin en Atlassian Jira en versiones anteriores a la 7.6.1 permite que atacantes remotos creen nuevos proyectos y anulen la importaci\u00f3n de un sistema externo en ejecuci\u00f3n mediante varias vulnerabilidades de Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-18033",
"lastModified": "2024-11-21T03:19:12.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-18T14:29:00.383",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102744"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102744"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66643"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-23 14:15
Modified
2024-11-21 04:21
Severity ?
Summary
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69782 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69782 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83940834-60F6-4C58-9F17-FF2FFFAB5AF0",
"versionEndExcluding": "7.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F665F2DD-7C62-43CB-8FEB-2DB1521D8A87",
"versionEndExcluding": "8.2.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55DBB75B-F9FF-435E-B392-99F61ABBD6C5",
"versionEndExcluding": "8.3.2",
"versionStartIncluding": "8.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF)."
},
{
"lang": "es",
"value": "Varios recursos expuestos de la clase ViewLogging en Jira antes de la versi\u00f3n 7.13.6, desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.2.3 y desde la versi\u00f3n 8.3.0 antes de la versi\u00f3n 8.3.2 permiten a los atacantes remotos modificar varias configuraciones a trav\u00e9s de la falsificaci\u00f3n de solicitudes entre sitios (CSRF)."
}
],
"id": "CVE-2019-11587",
"lastModified": "2024-11-21T04:21:23.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-23T14:15:11.047",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69782"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-29 06:15
Modified
2024-11-21 04:38
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70883 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70883 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A5B1084-0838-4618-A0E0-C34E5A4DD438",
"versionEndExcluding": "7.13.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C66A32E0-AF2A-457D-8634-BC141F93EF97",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B04AEDB9-DA55-4EB4-A30E-1487A1E352EA",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD3FC6D0-18E4-4BF7-8DE2-3D03730A7AAF",
"versionEndExcluding": "7.13.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application\u0027s availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos afectar la disponibilidad de la aplicaci\u00f3n por medio de una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la p\u00e1gina UserPickerBrowser.jspa. Las versiones afectadas son anteriores a la versi\u00f3n 7.13.9 y desde la versi\u00f3n 8.0.0 anteriores a 8.4.2"
}
],
"id": "CVE-2019-20413",
"lastModified": "2024-11-21T04:38:25.260",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-29T06:15:10.907",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70883"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70883"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71198 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71198 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C37B767-CBE4-4E98-9FB8-90020424EFE4",
"versionEndExcluding": "7.13.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75CC108C-2D1D-4BE0-B0F2-3013E31605C4",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "547F1523-AD76-4557-820B-7CB0AD0F9659",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74AEEBB1-3786-457D-891D-926DB7A4FDBB",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEB10566-CCFE-4C65-8AB7-C11BD071AD6D",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA7A5733-8237-44A3-B6EA-06E6855A89DD",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29550345-AC18-4BA4-9632-7750F21CCD58",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19A3E98A-DE12-41BB-BF8A-B7D20EC46614",
"versionEndExcluding": "7.13.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
},
{
"lang": "es",
"value": "El cliente de correo electr\u00f3nico en Jira Server y Data Center versiones anteriores a 7.13.16, desde versiones 8.5.0 anteriores a 8.5.7, desde versiones 8.8.0 anteriores a 8.8.2 y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos acceder a correos electr\u00f3nicos salientes entre una instancia de Jira y el servidor SMTP por medio de una vulnerabilidad de tipo man-in-the-middle (MITM)"
}
],
"id": "CVE-2020-14168",
"lastModified": "2024-11-21T05:02:47.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:11.960",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71198"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71198"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-06 23:15
Modified
2024-11-21 05:02
Severity ?
Summary
Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71646 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71646 | Permissions Required, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "C4E14497-BE54-41E5-BE0C-C9CB84D2A2C9",
"versionEndExcluding": "7.13.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:server:*:*:*",
"matchCriteriaId": "E43F04A4-FFD8-4EF0-A64B-67A7390FBE9B",
"versionEndExcluding": "7.13.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "747BDDBB-A75C-48C7-A907-3514EA0AE9ED",
"versionEndExcluding": "8.5.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:server:*:*:*",
"matchCriteriaId": "C5C7FD5B-E968-4162-AAE6-872577B08A25",
"versionEndExcluding": "8.5.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "C55C6477-FB8F-4B94-85C4-EE765B0FBC54",
"versionEndExcluding": "8.12.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:server:*:*:*",
"matchCriteriaId": "B53EB7A4-2303-4F3C-A6C1-58E4DC85BEB2",
"versionEndExcluding": "8.12.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Jira Server \u0026 Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance\u0027s Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Jira Server \u0026amp; Data Center, permiten a un atacante remoto con privilegios limitados (no de administrador) visualizar el Support Entitlement Number (SEN) de una instancia de Jira por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en los encabezados HTTP Response.\u0026#xa0;Las versiones afectadas son anteriores a la versi\u00f3n 7.13.18, desde versi\u00f3n 8.0.0 anteriores a 8.5.9 y desde versi\u00f3n 8.6.0 anteriores a 8.12.1"
}
],
"id": "CVE-2020-14183",
"lastModified": "2024-11-21T05:02:49.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-06T23:15:12.040",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71646"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71646"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-09 02:15
Modified
2024-11-21 05:29
Severity ?
Summary
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72258 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72258 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97107452-2B55-47E7-94EC-EF0504CA5E87",
"versionEndExcluding": "8.13.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85F720A3-5688-412C-8DFD-DA1E2FB2B684",
"versionEndExcluding": "8.13.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check."
},
{
"lang": "es",
"value": "El recurso de preferencia de gadgets del panel de control del plugin de gadgets de Atlassian usado en Jira Server y Jira Data Center versiones anteriores a 8.13.5, y desde versi\u00f3n 8.14.0 anterior a 8.15.1, permite a atacantes remotos y an\u00f3nimos obtener configuraciones relacionadas con gadgets por medio de una falta de comprobaci\u00f3n de permisos"
}
],
"id": "CVE-2020-36287",
"lastModified": "2024-11-21T05:29:13.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-09T02:15:12.960",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72258"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72258"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:32
Severity ?
Summary
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71107 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71107 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "385624FB-6801-4B2D-A41D-4435AB2DC2F7",
"versionEndExcluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF1BD2D7-E2F8-4603-858C-D04267E88E28",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74AEEBB1-3786-457D-891D-926DB7A4FDBB",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3477C08-4DDF-4B4C-B90F-A4897A76BAF5",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29550345-AC18-4BA4-9632-7750F21CCD58",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CED0E35-40ED-4D46-8121-4F1AA9D23EAE",
"versionEndExcluding": "8.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
},
{
"lang": "es",
"value": "El recurso de descarga de archivos adjuntos en Atlassian Jira Server y Data Center versiones anteriores a 8.5.5, y desde versiones 8.6.0 anteriores a 8.8.2, y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) que emite archivos adjuntos con un tipo de contenido multiparte mixto"
}
],
"id": "CVE-2020-4022",
"lastModified": "2024-11-21T05:32:10.317",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:12.130",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71107"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-30 07:15
Modified
2024-11-21 06:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72573 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72573 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A6F7F6F-1C16-4769-BE9F-C57C1F148938",
"versionEndExcluding": "8.13.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "006A3D1F-F4A6-4971-9A69-30ACE29022D7",
"versionEndExcluding": "8.13.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DB8777E-BFA3-4194-880B-3291A57A40C7",
"versionEndExcluding": "8.18.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0503EF7F-EEDD-4D97-810F-D8C46FDBE0E3",
"versionEndExcluding": "8.18.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0."
},
{
"lang": "es",
"value": "Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos seguir visualizando el contenido en cach\u00e9 incluso despu\u00e9s de perder los permisos, por medio de una vulnerabilidad de Control de Acceso Roto en la funcionalidad allowlist. Las versiones afectadas son versiones anteriores a 8.13.9, y desde versiones 8.14.0 anteriores a 8.18.0."
}
],
"id": "CVE-2021-39113",
"lastModified": "2024-11-21T06:18:35.783",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-08-30T07:15:06.737",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:32
Severity ?
Summary
The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70926 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70926 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "385624FB-6801-4B2D-A41D-4435AB2DC2F7",
"versionEndExcluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53E4C23D-6911-4919-867A-9B0AB37DBDDF",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7DF16FD-97C8-4918-B548-2904830E7729",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8261CDC7-3FD3-4B69-8B7F-725333B644B1",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5348E1DB-7336-46B8-83A3-51C986B0DF2D",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CED0E35-40ED-4D46-8121-4F1AA9D23EAE",
"versionEndExcluding": "8.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
},
{
"lang": "es",
"value": "El recurso /rest/project-templates/1.0/createshared en Atlassian Jira Server y Data Center versiones anteriores a 8.5.5, desde versiones 8.6.0 anteriores a 8.7.2 y desde versiones 8.8.0 anteriores a 8.8.1, permite a atacantes remotos enumerar nombres de proyectos por medio de una vulnerabilidad de autorizaci\u00f3n inapropiada"
}
],
"id": "CVE-2020-4029",
"lastModified": "2024-11-21T05:32:11.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:12.413",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70926"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70926"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-14 13:29
Modified
2024-11-21 04:08
Severity ?
Summary
The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67289 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67289 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF1A112D-4024-4205-900D-BBFFABF01C7B",
"versionEndExcluding": "7.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A38A1E0B-95D0-409F-AE3C-A5725F4605FA",
"versionEndExcluding": "7.7.4",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EC68826-9A37-4903-A349-407510635825",
"versionEndExcluding": "7.8.4",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C219C9D-07EB-41ED-AE45-E18A366CA4FF",
"versionEndExcluding": "7.9.2",
"versionStartIncluding": "7.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified."
},
{
"lang": "es",
"value": "El recolector de incidencias en Atlassian Jira en versiones anteriores a la 7.6.6, desde la versi\u00f3n 7.7.0 hasta la 7.7.4, desde la 7.8.0 hasta la 7.8.4 y desde la 7.9.0 hasta la 7.9.2 permite que los atacantes remotos inyecten c\u00f3digo JavaScript o HTML arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en en el mensaje de error de los campos personalizados cuando se especifica un valor no v\u00e1lido."
}
],
"id": "CVE-2018-5230",
"lastModified": "2024-11-21T04:08:23.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-14T13:29:03.507",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67289"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67289"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-23 14:15
Modified
2024-11-21 04:21
Severity ?
Summary
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69781 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69781 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83940834-60F6-4C58-9F17-FF2FFFAB5AF0",
"versionEndExcluding": "7.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F665F2DD-7C62-43CB-8FEB-2DB1521D8A87",
"versionEndExcluding": "8.2.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55DBB75B-F9FF-435E-B392-99F61ABBD6C5",
"versionEndExcluding": "8.3.2",
"versionStartIncluding": "8.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El m\u00e9todo doGarbageCollection de la clase ViewSystemInfo en Jira antes de la versi\u00f3n 7.13.6, de la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.2.3 y de la versi\u00f3n 8.3.0 antes de la versi\u00f3n 8.3.2 permite a los atacantes remotos activar la recolecci\u00f3n de basura a trav\u00e9s de una falsificaci\u00f3n de solicitud entre sitios ( CSRF) vulnerabilidad."
}
],
"id": "CVE-2019-11588",
"lastModified": "2024-11-21T04:21:23.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-23T14:15:11.343",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69781"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-10 03:59
Modified
2024-11-21 02:51
Severity ?
Summary
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7872ABB4-DE8C-4830-935A-920D15C647C0",
"versionEndIncluding": "7.1.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings."
},
{
"lang": "es",
"value": "Atlassian JIRA Server en versiones anteriores a 7.1.9 tiene CSRF en auditor\u00eda/ajustes."
}
],
"id": "CVE-2016-4319",
"lastModified": "2024-11-21T02:51:51.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-10T03:59:01.217",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97517"
},
{
"source": "cret@cert.org",
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"source": "cret@cert.org",
"url": "https://jira.atlassian.com/browse/JRA-61803"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61803"
},
{
"source": "cret@cert.org",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97517"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/browse/JRA-61803"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61803"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-29 06:15
Modified
2024-11-21 04:38
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70884 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70884 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "190020C4-C318-4DC7-A273-46C58FABB987",
"versionEndExcluding": "7.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC3DCB0-D6DD-43E3-8E5C-5A205681C9C7",
"versionEndExcluding": "7.13.9",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C66A32E0-AF2A-457D-8634-BC141F93EF97",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "463EA2B6-D4EC-4C20-A384-3D1487CB1A80",
"versionEndExcluding": "7.13.9",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B04AEDB9-DA55-4EB4-A30E-1487A1E352EA",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C609FD0-6B60-431D-9ED4-82AEAC31AA71",
"versionEndExcluding": "7.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos visualizar informaci\u00f3n confidencial por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en la funcionalidad de restricci\u00f3n de comentarios. Las versiones afectadas son anteriores a la versi\u00f3n 7.6.17, desde la versi\u00f3n 7.7.0 anteriores a 7.13.9, y desde la versi\u00f3n 8.0.0 anteriores a 8.4.2"
}
],
"id": "CVE-2019-20410",
"lastModified": "2024-11-21T04:38:24.927",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-29T06:15:10.687",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70884"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70884"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-23 14:15
Modified
2024-11-21 04:21
Severity ?
Summary
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69784 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69784 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83940834-60F6-4C58-9F17-FF2FFFAB5AF0",
"versionEndExcluding": "7.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F665F2DD-7C62-43CB-8FEB-2DB1521D8A87",
"versionEndExcluding": "8.2.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55DBB75B-F9FF-435E-B392-99F61ABBD6C5",
"versionEndExcluding": "8.3.2",
"versionStartIncluding": "8.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect."
},
{
"lang": "es",
"value": "El recurso startup.jsp en Jira antes de la versi\u00f3n 7.13.6, desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.2.3 y desde la versi\u00f3n 8.3.0 antes de la versi\u00f3n 8.3.2 permite a los atacantes remotos redirigir a los usuarios a un sitio web diferente que pueden usar como parte de realizar un ataque de phishing a trav\u00e9s de una redirecci\u00f3n abierta."
}
],
"id": "CVE-2019-11585",
"lastModified": "2024-11-21T04:21:23.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-23T14:15:10.907",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69784"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-01 05:15
Modified
2024-11-21 05:02
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71498 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71498 | Permissions Required |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34FEEA69-4B5F-4EDB-8007-F4918A8A4EDA",
"versionEndExcluding": "7.13.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8CC2B5-6238-4E5B-A7AC-34279A4FAF15",
"versionEndExcluding": "8.5.8",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F4A10D-0C84-46C6-8428-A9B53541EB00",
"versionEndExcluding": "8.12.0",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B666569-FD4E-4C6B-9262-FE6D14F29C4F",
"versionEndExcluding": "8.5.8",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6D370E7-0939-40F3-942C-CA6D66B8AAC0",
"versionEndExcluding": "8.12.0",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45209CBE-8CDC-4D75-987D-95829E4DB999",
"versionEndExcluding": "7.13.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos enumerar las claves de proyecto por medio de una vulnerabilidad de Divulgaci\u00f3n de Informaci\u00f3n en el endpoint /browse.PROJECTKEY.\u0026#xa0;Las versiones afectadas son anteriores a versi\u00f3n 7.13.7, desde la versi\u00f3n 8.0.0 anteriores a 8.5.8 y desde la versi\u00f3n 8.6.0 anteriores a 8.12.0"
}
],
"id": "CVE-2020-14178",
"lastModified": "2024-11-21T05:02:49.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-01T05:15:10.063",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71498"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71498"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-15 00:15
Modified
2024-11-21 05:29
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72059 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72059 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2823995C-7B02-4318-8B9D-3F9659F2B0CB",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23CA57C4-72B6-465C-8EC1-0C00A9A67877",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC31C8A-7C3A-497D-8B93-186A4BB78177",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BEF44ED6-2346-4FF8-8AFF-67A4E3BFF69D",
"versionEndExcluding": "8.15.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54CAA007-B086-4422-AB45-35A561CCD894",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC0005F9-7748-4F24-927E-6789D415E0CD",
"versionEndExcluding": "8.15.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) en la vista Screens Modal.\u0026#xa0;Las versiones afectadas son anteriores a la versi\u00f3n 8.5.11, desde la versi\u00f3n 8.6.0 anteriores a 8.13.3 y desde la versi\u00f3n 8.14.0 anteriores a 8.15.0"
}
],
"id": "CVE-2020-36234",
"lastModified": "2024-11-21T05:29:06.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-15T00:15:12.307",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72059"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72059"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-22 18:29
Modified
2024-11-21 04:49
Severity ?
Summary
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/108458 | Broken Link | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69240 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/108458 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69240 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F53E99-E523-46BC-BB9C-2C1088D30E69",
"versionEndExcluding": "7.13.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2468233-97B0-4673-A2EA-5787CFD56097",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2806E160-A601-4276-A3F2-8F73DA3AE3E0",
"versionEndExcluding": "8.1.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator\u0027s session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability."
},
{
"lang": "es",
"value": "El recurso ViewUpgrades en Jira antes de la versi\u00f3n 7.13.4, desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.0.4, y desde la versi\u00f3n 8.1.0 antes de la versi\u00f3n 8.1.1, permite a los atacantes remotos que han obtenido acceso a la sesi\u00f3n del administrador acceder al recurso administrativo de ViewUpgrades sin necesidad de volver a autenticarse para pasar \"WebSudo\" mediante una vulnerabilidad de Control de Acceso incorrecta."
}
],
"id": "CVE-2019-8443",
"lastModified": "2024-11-21T04:49:54.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-22T18:29:02.100",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/108458"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69240"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/108458"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69240"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-30 03:15
Modified
2024-11-21 04:38
Severity ?
Summary
Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70849 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70849 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAAD6CB-BAF7-4FE4-BB84-F7614F28AEEB",
"versionEndExcluding": "7.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3A2B3FB-45D3-4DB2-B10C-68E827E72837",
"versionEndExcluding": "8.1.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "660409CF-397F-4D27-A331-37414A5547E5",
"versionEndExcluding": "8.1.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07EEEEFA-CF5A-4B45-8BCC-F5CE2448EE72",
"versionEndExcluding": "7.13.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0."
},
{
"lang": "es",
"value": "El servidor y centro de datos Atlassian Jira en las versiones afectadas permite a los atacantes remotos modificar la configuraci\u00f3n de registro y perfil a trav\u00e9s de una vulnerabilidad de falsificaci\u00f3n de solicitudes en varios sitios (CSRF). Las versiones afectadas son anteriores a la 7.13.3, y desde la versi\u00f3n 8.0.0 anteriores a la versi\u00f3n 8.1.0"
}
],
"id": "CVE-2019-20415",
"lastModified": "2024-11-21T04:38:25.500",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-30T03:15:09.913",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70849"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-13 01:15
Modified
2024-11-21 04:39
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70942 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70942 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299AC09B-2CB7-443A-B586-8574F99A4DB4",
"versionEndExcluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96DB3337-76C9-45AC-A51F-9927873A3785",
"versionEndExcluding": "8.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos acceder a informaci\u00f3n confidencial sin estar autenticados en la pantalla de permisos Globales. Las versiones afectadas son anteriores a la versi\u00f3n 8.8.0"
}
],
"id": "CVE-2019-20898",
"lastModified": "2024-11-21T04:39:38.733",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-13T01:15:13.357",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70942"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70942"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-08 04:15
Modified
2024-11-21 04:27
Severity ?
Summary
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:troubleshooting_and_support:*:*:*:*:*:*:*:*",
"matchCriteriaId": "093A33BE-D93B-4CBC-9BF3-B37207CBAD84",
"versionEndExcluding": "1.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A17D5A1F-2408-4768-9DC3-F850B21B64AD",
"versionEndExcluding": "6.10.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF79AB35-E420-4475-AD28-FC219C636C8B",
"versionEndExcluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC203A88-CA6B-4F1A-A68D-9C2CDE8F67FC",
"versionEndExcluding": "7.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1361951B-0754-45FF-96E4-8A886C24411B",
"versionEndExcluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40EB5F54-C9BD-4299-A616-E3A8E20C77FB",
"versionEndExcluding": "4.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "452D57FA-0A0B-486F-9D4B-45487B68FFB9",
"versionEndExcluding": "4.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76FE371E-3000-464E-ADEE-033BF2989429",
"versionEndExcluding": "8.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
},
{
"lang": "es",
"value": "El plugin Atlassian Troubleshooting and Support anterior a versi\u00f3n 1.17.2, permite a un usuario sin privilegios iniciar escaneos de registros peri\u00f3dicos y enviar los resultados a una direcci\u00f3n de correo electr\u00f3nico especificada por el usuario debido a una falta de comprobaci\u00f3n de autorizaci\u00f3n. El mensaje de correo electr\u00f3nico puede contener informaci\u00f3n de configuraci\u00f3n sobre la aplicaci\u00f3n en la que el plugin est\u00e1 instalado. Se incluye una versi\u00f3n vulnerable del plugin con Bitbucket Server/Data Center versiones anteriores a 6.6.0, Confluence Server / Data Center versiones anteriores a 7.0.1, Jira Server / Data Center versiones anteriores a 8.3.2, Crowd / Crowd Data Center versiones anteriores a 3.6.0, Fisheye versiones anteriores a 4.7.2, Crucible versiones anteriores a 4.7.2 y Bamboo versiones anteriores a 6.10.2."
}
],
"id": "CVE-2019-15005",
"lastModified": "2024-11-21T04:27:51.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-08T04:15:10.307",
"references": [
{
"source": "security@atlassian.com",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71205 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71205 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9273B156-C63F-4A8F-97E0-7D0C60D4C242",
"versionEndExcluding": "8.9.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A666CC22-7A71-41FB-9477-2DD4A0326A35",
"versionEndExcluding": "8.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
},
{
"lang": "es",
"value": "El componente quick search en Atlassian Jira Server y Data Center versiones anteriores a 8.9.1, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS)"
}
],
"id": "CVE-2020-14169",
"lastModified": "2024-11-21T05:02:47.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:12.037",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71205"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71205"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-07-03 18:05
Modified
2024-11-21 00:13
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:3.6.2_156:*:*:*:*:*:*:*",
"matchCriteriaId": "62CABBFC-82C8-497C-936A-B6882722F0DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Ejecuci\u00f3n de comandos en sitios cruzados (XSS) en Atlassian JIRA 3.6.2-#156 permite a atacantes remotos inyectar HTML o scripts web arbitrarios a trav\u00e9s de vectores sin especificar en una solicitud directa a secure/ConfigureReleaseNote.jspa, las cuales no son comprobadas antes de ser devueltas en una p\u00e1gina de error."
}
],
"id": "CVE-2006-3338",
"lastModified": "2024-11-21T00:13:23.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2006-07-03T18:05:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/20767"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/26744"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/18575"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27588"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/20767"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/26744"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/18575"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27588"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-13 18:29
Modified
2024-11-21 03:47
Severity ?
Summary
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-68526 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-68526 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFBB9997-A99A-419B-9A30-45F68E31874C",
"versionEndExcluding": "7.6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "838AA8F4-3820-4677-8839-00AFF86320C8",
"versionEndIncluding": "7.12.3",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0A81285-A452-4AFE-94BE-3B27014535A3",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard."
},
{
"lang": "es",
"value": "El gadget de estad\u00edsticas de filtro en dos dimensiones en Atlassian Jira, en versiones anteriores a la 7.6.10, desde la versi\u00f3n 7.7.0 hasta antes de la 7.12.4 y desde la versi\u00f3n 7.13.0 hasta antes de la 7.13.1, permite que los atacantes remotos inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de un filtro guardado cuando se muestra en un dashboard de Jira."
}
],
"id": "CVE-2018-13403",
"lastModified": "2024-11-21T03:47:02.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-13T18:29:00.370",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68526"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68526"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-11 14:15
Modified
2024-11-21 04:49
Severity ?
Summary
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69796 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69796 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C0726DC-9994-4DBE-BC1C-B287505C822E",
"versionEndExcluding": "8.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability."
},
{
"lang": "es",
"value": "El recurso /rest/api/latest/groupuserpicker en Jira versiones anteriores a 8.4.0, permite a atacantes remotos enumerar nombres de usuario por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n."
}
],
"id": "CVE-2019-8449",
"lastModified": "2024-11-21T04:49:55.500",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-11T14:15:12.257",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69796"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69796"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 05:15
Modified
2024-11-21 06:26
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72915 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72915 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0827EA48-7527-40C3-B0EC-29FEA4912884",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D500158B-4083-4D29-89E8-17A6EA8FAFD1",
"versionEndExcluding": "8.20.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61DF42E8-B67B-46AF-ACEE-135531D30240",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7066870B-8DCE-40ED-8C08-96F7A31C719C",
"versionEndExcluding": "8.20.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos visualizar nombres privados de proyectos y filtros por medio de una vulnerabilidad Insecure Direct Object References (IDOR) en el Gadget Average Time in Status. Las versiones afectadas son anteriores a la versi\u00f3n 8.13.12, y desde versi\u00f3n 8.14.0 hasta 8.20.0"
}
],
"id": "CVE-2021-41306",
"lastModified": "2024-11-21T06:26:00.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-10-26T05:15:07.393",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72915"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-28 01:15
Modified
2024-11-21 06:30
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-73069 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-73069 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8C5ED6-81E7-4552-A22D-723EFBF13F82",
"versionEndExcluding": "8.20.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83A7BE71-B309-47EC-8FF8-D82E25C6EB5A",
"versionEndExcluding": "8.20.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos con permisos de administrador de hojas de ruta inyectar HTML o JavaScript arbitrarios por medio de una vulnerabilidad de tipo Cross-Site Scripting (SXSS) Almacenado en el endpoint /rest/jpo/1.0/hierarchyConfiguration. Las versiones afectadas son anteriores a versi\u00f3n 8.20.3."
}
],
"id": "CVE-2021-43945",
"lastModified": "2024-11-21T06:30:03.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-28T01:15:08.033",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73069"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-06 03:15
Modified
2024-11-21 04:38
Severity ?
Summary
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70564 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70564 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3F0ABD5-1124-4508-8F66-18F27B041CB6",
"versionEndExcluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A15DCC83-66F0-4495-AF87-3EBA4A295E2D",
"versionEndExcluding": "8.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability."
},
{
"lang": "es",
"value": "Los archivos zip de soporte en Atlassian Jira Server y Data Center antes de que la versi\u00f3n 8.6.0, pudieran ser descargados por un usuario del Administrador de Sistema sin requerir que el usuario reingrese su contrase\u00f1a por medio de una vulnerabilidad de autorizaci\u00f3n inapropiada."
}
],
"id": "CVE-2019-20402",
"lastModified": "2024-11-21T04:38:24.000",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-06T03:15:10.450",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70564"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70564"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-01 07:15
Modified
2024-11-21 05:32
Severity ?
Summary
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70923 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70923 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB024412-F7F7-4F32-A14C-91997AE99B17",
"versionEndExcluding": "7.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A56AB683-A656-4594-8B9F-142A45C6118D",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B91C377-4439-4F94-A4D5-2E03B96EABA7",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95F8088C-2428-49BE-BADA-BA4AEF3DB7F4",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45A172A6-98BB-4C84-90F1-94F3603D5426",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEC5C067-DF59-4387-8B1B-040E01150424",
"versionEndExcluding": "7.13.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
},
{
"lang": "es",
"value": "Unas versiones afectadas son: versiones anteriores a 8.5.5, y desde versiones 8.6.0 anteriores a 8.8.1 de Atlassian Jira Server y Data Center, permiten a atacantes remotos inyectar HTML o Javascript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS) en la vista de exportaci\u00f3n XML."
}
],
"id": "CVE-2020-4021",
"lastModified": "2024-11-21T05:32:10.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-01T07:15:11.110",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70923"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70923"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-17 01:15
Modified
2024-11-21 05:02
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html | Exploit, Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71560 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71560 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0528797C-8E1D-4194-8966-792A47387171",
"versionEndExcluding": "7.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C0DDE7B-CC07-4599-881E-4097E8624927",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8A0F7776-2529-4D2D-B289-9A386AEA709E",
"versionEndExcluding": "8.12.0",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83940834-60F6-4C58-9F17-FF2FFFAB5AF0",
"versionEndExcluding": "7.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02038437-F649-42CD-AEF6-730862241452",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6D370E7-0939-40F3-942C-CA6D66B8AAC0",
"versionEndExcluding": "8.12.0",
"versionStartIncluding": "8.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten que un usuario no autenticado enumere usuarios por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el endpoint /ViewUserHover.jspa. Las versiones afectadas son las anteriores a versi\u00f3n 7.13.6, desde la versi\u00f3n 8.0.0 anteriores a 8.5.7 y desde la versi\u00f3n 8.6.0 anteriores a 8.12.0"
}
],
"id": "CVE-2020-14181",
"lastModified": "2024-11-21T05:02:49.420",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-17T01:15:11.747",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71560"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71560"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-30 07:15
Modified
2024-11-21 06:18
Severity ?
Summary
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72597 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72597 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7742E004-36D8-4D0A-B93D-04B36C25AC62",
"versionEndExcluding": "8.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "245FA61E-7CF5-47D9-8BAA-DF603987D16C",
"versionEndExcluding": "8.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field."
},
{
"lang": "es",
"value": "La p\u00e1gina AssociateFieldToScreens en Atlassian Jira Server y Data Center versiones anteriores a 8.18.0, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) por medio del nombre de un campo personalizado."
}
],
"id": "CVE-2021-39117",
"lastModified": "2024-11-21T06:18:36.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-30T07:15:06.783",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72597"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72597"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-08-28 12:29
Modified
2024-11-21 03:47
Severity ?
Summary
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/105165 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67750 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105165 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67750 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "852E5AC8-DEE0-4FC4-ADC3-D4B7D13DD405",
"versionEndExcluding": "7.6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
"versionEndExcluding": "7.9.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C568973F-5079-49ED-928D-7F11C842CF4B",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8A41F75-430A-40A0-A925-4ADA835D90B2",
"versionEndExcluding": "7.11.2",
"versionStartIncluding": "7.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access \u0026 view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden."
},
{
"lang": "es",
"value": "El componente ProfileLinkUserFormat de Jira Server, en versiones anteriores a la 7.6.8, desde la versi\u00f3n 7.7.0 hasta antes de la 7.7.5, desde la versi\u00f3n 7.8.0 hasta antes de la 7.8.5, desde la versi\u00f3n 7.9.0 hasta antes de la 7.9.3, desde la versi\u00f3n 7.10.0 hasta antes de la 7.10.3 y desde la versi\u00f3n 7.11.0 hasta antes de la 7.11.2, permite que atacantes remotos que puedan acceder vean un problema para obtener la direcci\u00f3n de email del usuario que reporta el problema y del usuario encargado de un problema a pesar de que la opci\u00f3n de visibilidad de emails est\u00e9 configurada como oculta."
}
],
"id": "CVE-2018-13391",
"lastModified": "2024-11-21T03:47:00.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-28T12:29:00.230",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105165"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67750"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67750"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-01 03:15
Modified
2024-11-21 05:29
Severity ?
Summary
The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72272 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72272 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A455FC63-AF29-4D31-8E11-AA5671D12E06",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA8144D6-FDAF-4B92-BE54-832893AC0A1E",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26055208-F18D-4FF9-A442-7DD62D80F7E7",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DF55918-44C7-4DC9-BD66-9FD9BA64A955",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists \u0026 members of groups if they are assigned to publicly visible issue field."
},
{
"lang": "es",
"value": "La funci\u00f3n de b\u00fasqueda de membersOf JQL en Jira Server y Data Center anterior a versi\u00f3n 8.5.13, desde versi\u00f3n 8.6.0 anterior a versi\u00f3n 8.13.5 y desde versi\u00f3n 8.14.0 anterior a versi\u00f3n 8.15.1, permite a atacantes remotos y an\u00f3nimos determinar si existe un grupo y si miembros de grupos est\u00e1n asignados a un campo de problema visible p\u00fablicamente."
}
],
"id": "CVE-2020-36286",
"lastModified": "2024-11-21T05:29:12.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-01T03:15:13.960",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72272"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-07-03 18:05
Modified
2024-11-21 00:13
Severity ?
Summary
secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:3.6.2_156:*:*:*:*:*:*:*",
"matchCriteriaId": "62CABBFC-82C8-497C-936A-B6882722F0DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message."
},
{
"lang": "es",
"value": "secure/ConfigureReleaseNote.jspa en Atlassian JIRA v3.6.2-#156 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de manipulaciones sin especificar del par\u00e1metro \"projectId\", que muestra la ruta de instalaci\u00f3n y otra informaci\u00f3n del sistema en un mensaje de error."
}
],
"id": "CVE-2006-3339",
"lastModified": "2024-11-21T00:13:23.920",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-07-03T18:05:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://jira.atlassian.com/browse/JRA-10542"
},
{
"source": "cve@mitre.org",
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/26745"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27235"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jira.atlassian.com/browse/JRA-10542"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://pridels0.blogspot.com/2006/06/atlassian-jira-information-disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/26745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/2472"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27235"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-10 15:59
Modified
2024-11-21 03:28
Severity ?
Summary
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E72FD8F4-B47B-4D45-81BC-281C7C88BF64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E6392A0B-252B-4BE9-8381-882364CAF93D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5022C4F9-48A7-4995-994A-455F545CDB8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3A8EC6B1-A57B-4277-B904-CFFC2B1B8630",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E1F805A3-631D-4667-BF72-62A3DDDCDB2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7EDB91B1-7D20-4BCC-A512-6F75EF70BE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0B02481E-5E51-423E-A5E7-630EB3DA5F99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A3ED291F-4F1F-48BA-832C-A70B639BBDCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C402D0FF-E479-480A-BB01-7932CF2BF2E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "395E3ED3-3DA5-40A6-B932-36F9BF13FD76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "41F1DD46-4FBD-40BC-B276-51C2B239BC4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "82FC7263-D0E3-490A-9DF6-ED89051354A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6CB09662-5926-4AE5-BF22-B082ED223A46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B83D3C97-BA63-44FB-8449-220AA6B31CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F7ED8C91-7225-439E-BEC6-BC8E23D86041",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F181716D-3B1E-493C-A92D-D02E90922EE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3B86AA59-2C88-4113-85B1-0F8404155ED3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "25DAF540-7BB4-4325-9438-74F9F738519B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "3D9E7034-3F9E-4CE3-81D0-6EB2E62F0437",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F3046E68-3839-4B96-83B1-4F14AFFD8DF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65CB7DB0-F3CA-4037-A5FF-5D7F6678B314",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "17A58D60-1085-4E64-8706-8EC8686D4904",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "00339DCD-824D-46FA-9EFD-E4835BC7F52C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "ED7C6417-0212-489D-9324-2C653E32566A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4C61E4B1-69D4-4278-B404-39293751033F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A8790F9F-C124-410A-BEE5-241341C5CA57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "C60F705C-ECF9-4F48-BE4C-CCB9E88E018B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F008971D-88E6-4D60-8755-294FD157FBF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1A224603-11AA-491D-9A06-8D573FEDDC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C5117735-A248-44DD-B2B5-0A1D5CFB4977",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA863005-6CD1-4FEC-8A1A-6E62FC76952D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "417098AA-30D0-4915-ACF8-135F59EB1493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "693A0FEF-0803-419C-A718-DE80B984BA9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3C401B65-113B-4046-8D36-7F139D05A4B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B5AFE657-35A1-4F22-839C-4E2D89C78DA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "7605C1DD-D26E-4ACF-8915-A2717079198C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9720C8C4-36A4-4C8B-BB4B-1D1765C76728",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2B79812D-7367-4D71-8B74-77785FAC9874",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "6A45A0EB-99CB-4EE9-BFBB-664D0AE91981",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:5.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8D006394-43B4-4250-87F5-38A2511BC0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B83446EB-1A2B-4803-9D2A-DBF37A99C96C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F5989726-B934-4FF1-AB54-7DC77AC2C6EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D910A750-B5AB-48F1-9A33-0895901E0522",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CCBB6BD7-5A95-4A8C-9965-F07A29C85AEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B482A552-EF34-4089-8A64-797D8C9BBE43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6F8F311F-B327-4541-BA23-C8CF578861B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "9E729C6C-799F-4574-B560-51DB7F58C3AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8717780D-1A19-4EE4-A526-6216EA360596",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2FC850FE-63C9-4E6D-8B14-C8A2224E3FF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E129240D-BCC6-4EEF-820A-CF8EF835FE01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BAD25985-0587-4DD8-A6BD-DE610CB01175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2E2A1992-5247-4978-856A-4BAF064651F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8003B5E4-597A-4914-96D5-14C8DEAE9ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4BAE2AA2-A436-4F86-B775-DD358FA82FCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "4C182FE8-BA50-4782-8D04-825F57DDC5E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "243F34D7-287A-419C-B709-74869E55402C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "DE4DE2F6-B3E1-45CA-A1F7-08691FD13FE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "7AED81FE-B027-4114-9A76-7F6B8A06A6BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "807D2B66-FE4F-4C83-A8C9-76F874C746BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E21E5768-4A73-431D-9720-55C120BA0C6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4715D04C-DC1D-42EA-AEB4-29E935DF34D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "352372E1-FA78-4D5F-B6B3-CA7F547BD7BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "254BC1E2-0E41-46EB-9E13-9BEF69B1D786",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6E7BAD-1781-44FF-A347-64498630A26F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5B61076B-547D-4878-BDA0-C028820DA37C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F8617A24-1894-48C7-8B05-0403183179E6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object."
},
{
"lang": "es",
"value": "El complemento de JIRA Workflow Designer en Atlassian JIRA Server en versiones anteriores a 6.3.0 utiliza incorrectamente un analizador y deserializador XML, que permite a atacantes remotos ejecutar c\u00f3digo arbitrario, leer archivos arbitrarios o provocar una denegaci\u00f3n de servicio a trav\u00e9s de un objeto Java serializado."
}
],
"id": "CVE-2017-5983",
"lastModified": "2024-11-21T03:28:49.720",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-10T15:59:00.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Technical Description"
],
"url": "http://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97379"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-64077"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource",
"VDB Entry"
],
"url": "https://www.kb.cert.org/vuls/id/307983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "http://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-64077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource",
"VDB Entry"
],
"url": "https://www.kb.cert.org/vuls/id/307983"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-25 03:15
Modified
2024-11-21 06:18
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72433 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72433 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C5A1972-3E92-42F1-AC31-5F76465EB8A4",
"versionEndExcluding": "8.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D055246-2C6E-4EE9-813A-DAB8DD30568C",
"versionEndExcluding": "8.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D9B23D-DFC8-46E5-B965-3053C7491D86",
"versionEndExcluding": "8.13.7",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53B9C850-4833-4DC9-A02D-56DAC12E649F",
"versionEndExcluding": "8.17.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35C7C63E-A948-4B03-B4EC-15FB66C64B10",
"versionEndExcluding": "8.18.1",
"versionStartIncluding": "8.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85AF3918-2011-43B9-97C3-170FF025A1B8",
"versionEndExcluding": "8.13.7",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB0DE167-44B4-4283-97D3-A4159DBD8BDF",
"versionEndExcluding": "8.17.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40269648-E132-4305-BB60-1FFB6F3C7919",
"versionEndExcluding": "8.18.1",
"versionStartIncluding": "8.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos redirigir a usuarios a una URL maliciosa por medio de una vulnerabilidad de tabnapping inverso en la funcionalidad Project Shortcuts. Las versiones afectadas son anteriores a versi\u00f3n 8.5.15, desde versi\u00f3n 8.6.0 antes de 8.13.7, desde versi\u00f3n 8.14.0 antes de 8.17.1, y desde versi\u00f3n 8.18.0 antes de 8.18.1."
}
],
"id": "CVE-2021-39112",
"lastModified": "2024-11-21T06:18:35.623",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-25T03:15:06.380",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72433"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1022"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-08 02:15
Modified
2024-11-21 06:18
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72715 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72715 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0C08B4-0C82-44A7-97D8-8973C8C2D9C8",
"versionEndExcluding": "8.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E13B99D-D1D6-44A7-862D-4DC6A031BEB8",
"versionEndExcluding": "8.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FBAB634-1ABF-4D66-B08C-DBC34789ACCE",
"versionEndExcluding": "8.13.10",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F23B0961-C6E2-43E0-8F2C-855FA86275B5",
"versionEndExcluding": "8.18.2",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "023CF163-22AB-46BC-B254-6702BC68D475",
"versionEndExcluding": "8.13.10",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B5DC199-66DE-44AB-B32D-08DC7E9405BB",
"versionEndExcluding": "8.18.2",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos autenticados enumerar las claves de los proyectos privados de Jira por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el endpoint /rest/api/latest/projectvalidate/key. Las versiones afectadas son anteriores a 8.5.18, desde la versi\u00f3n 8.6.0 anteriores a 8.13.10, y desde versi\u00f3n 8.14.0 anteriores a 8.18.2"
}
],
"id": "CVE-2021-39121",
"lastModified": "2024-11-21T06:18:37.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-08T02:15:06.737",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72715"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72715"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-02 00:15
Modified
2024-11-21 05:29
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72002 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72002 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | 8.13.3 | |
| atlassian | jira_server | * | |
| atlassian | jira_server | 8.13.3 | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2324F010-76F2-43D3-96C0-BD9150B7E652",
"versionEndExcluding": "8.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E1F3243-C68E-43F6-9FEC-68F9318D5980",
"versionEndExcluding": "8.13.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:8.13.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CF422EB8-5C9E-4166-8354-E692E5C94737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFF8C47C-4D9A-4A61-8B90-0BAF24FBDA14",
"versionEndExcluding": "8.13.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:8.13.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6ABE8741-5E98-467B-A946-E1913164CD5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E92AC75-73E1-402C-9DCF-4A1B25CB999F",
"versionEndExcluding": "8.5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
},
{
"lang": "es",
"value": "\u00e7Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos visualizar los metadatos de las tarjetas a las que no deber\u00edan tener acceso por medio de una vulnerabilidad de Insecure Direct Object References (IDOR).\u0026#xa0;Las versiones afectadas son anteriores a 8.5.10 y desde la versi\u00f3n 8.6.0 versiones anteriores a 8.13.2"
}
],
"id": "CVE-2020-36231",
"lastModified": "2024-11-21T05:29:06.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-02T00:15:12.397",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72002"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-16 13:29
Modified
2024-11-21 03:47
Severity ?
Summary
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/104890 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67526 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/104890 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67526 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F0C2FA0-B59B-441B-B6EC-5A0D79491FBE",
"versionEndExcluding": "7.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
"versionEndExcluding": "7.9.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F8167EC-30D3-4C10-AD1F-003FD0CBB5BC",
"versionEndExcluding": "7.10.2",
"versionStartIncluding": "7.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete."
},
{
"lang": "es",
"value": "El recurso IncomingMailServers en Atlassian JIRA Server en versiones anteriores a la 7.6.7, desde la versi\u00f3n 7.7.0 antes de la 7.7.5, desde la versi\u00f3n 7.8.0 antes de la 7.8.5, desde la versi\u00f3n 7.9.0 antes de la 7.9.3 y desde la versi\u00f3n 7.10.0 antes de la 7.10.2 permite que atacantes remotos inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad Cross-Site Scripting (XSS) en el par\u00e1metro messagesThreshold, ya que la soluci\u00f3n para CVE-2017-18039 estaba incompleta."
}
],
"id": "CVE-2018-13387",
"lastModified": "2024-11-21T03:47:00.307",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-16T13:29:00.347",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104890"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67526"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104890"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67526"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-20 04:15
Modified
2024-11-21 05:55
Severity ?
Summary
The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72393 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72393 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F1FF4CB-8A5A-4C49-8BC7-EDA8E4F7F6F7",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "736F4C0B-A3E6-42A3-88B8-745CDB55DB2B",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "940CC48E-EC7D-42E1-838C-011D1C8CEF31",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B9DCF77-9D9D-4988-BEF3-14C9DAA43814",
"versionEndExcluding": "8.17.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "753A6E31-7EAD-443E-8FC4-D01BB97844D7",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4443C11-BA88-411E-81D2-3D4A57B3F43F",
"versionEndExcluding": "8.17.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability."
},
{
"lang": "es",
"value": "Una Exportaci\u00f3n XML en Atlassian Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versi\u00f3n 8.6.0 anteriores a 8.13.6, y desde versi\u00f3n 8.14.0 anteriores a 8.17.0, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado"
}
],
"id": "CVE-2021-26082",
"lastModified": "2024-11-21T05:55:50.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-20T04:15:10.940",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72393"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72393"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-15 00:15
Modified
2024-11-21 05:55
Severity ?
Summary
The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72316 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72316 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09C2E603-3885-467B-8720-DF14A23075C4",
"versionEndExcluding": "8.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4EEB38-868D-4E69-80A7-899BD9323B3A",
"versionEndExcluding": "8.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46468A73-9066-4ADA-BF9A-0DDF3EE9F69E",
"versionEndExcluding": "8.13.4",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BE06262-0589-4549-A3F2-6AA02A2E346D",
"versionEndExcluding": "8.13.4",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename."
},
{
"lang": "es",
"value": "El recurso de rest AttachTemporaryFile del plugin de importadores de Jira en Jira Server y Data Center versiones anteriores a 8.5.12, desde versi\u00f3n 8.6.0 versiones anteriores a 8.13.4, y desde versi\u00f3n 8.14.0 versiones anteriores a 8.15.1, permit\u00eda a atacantes remotos autentificados obtener la ruta completa del directorio de datos de la aplicaci\u00f3n Jira por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el mensaje de error cuando se presentaba un nombre de archivo no v\u00e1lido"
}
],
"id": "CVE-2021-26075",
"lastModified": "2024-11-21T05:55:49.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-15T00:15:12.920",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72316"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-20 04:15
Modified
2024-11-21 05:55
Severity ?
Summary
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72213 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72213 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F1FF4CB-8A5A-4C49-8BC7-EDA8E4F7F6F7",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "736F4C0B-A3E6-42A3-88B8-745CDB55DB2B",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "940CC48E-EC7D-42E1-838C-011D1C8CEF31",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA85B28C-6370-4D3A-A053-AEC6878971B4",
"versionEndExcluding": "8.16.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "753A6E31-7EAD-443E-8FC4-D01BB97844D7",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "703B1E15-8FC1-42F4-953D-0CF16829AB21",
"versionEndExcluding": "8.16.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "Una exportaci\u00f3n de Informes HTML en Atlassian Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versi\u00f3n 8.6.0 anteriores a 8.13.6, y desde versi\u00f3n 8.14.0 anteriores a 8.16.1, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS)"
}
],
"id": "CVE-2021-26083",
"lastModified": "2024-11-21T05:55:50.333",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-20T04:15:10.993",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72213"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-02 03:15
Modified
2024-11-21 03:19
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72660 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72660 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFBCA0F-3598-4FA9-A01E-3594BAE5FD47",
"versionEndExcluding": "8.18.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4270229A-3AB3-4A4E-B858-2FFE46D9A615",
"versionEndExcluding": "8.18.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix."
},
{
"lang": "es",
"value": "La clase DefaultOSWorkflowConfigurator en Jira Server y Jira Data Center versiones anteriores a 8.18.1, permite a atacantes remotos que pueden enga\u00f1ar a un administrador del sistema para importar su workflow malicioso para ejecutar c\u00f3digo arbitrario a trav\u00e9s de una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota (RCE).\u0026#xa0;La vulnerabilidad permiti\u00f3 que varias clases problem\u00e1ticas de OSWorkflow sean usadas como parte de los workflows.\u0026#xa0;La soluci\u00f3n para este problema bloquea el uso de condiciones, comprobadores, funciones y registros no seguros que est\u00e1n integrados en la biblioteca OSWorkflow y otras dependencias de Jira.\u0026#xa0;Las funciones creadas por Atlassian o las funciones proporcionadas por complementos de terceros no est\u00e1n afectadas por esta correcci\u00f3n"
}
],
"id": "CVE-2017-18113",
"lastModified": "2024-11-21T03:19:23.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-08-02T03:15:07.110",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72660"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72660"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-05-22 15:55
Modified
2024-11-21 01:39
Severity ?
Summary
The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gliffy | gliffy | * | |
| atlassian | jira | * | |
| gliffy | gliffy | * | |
| gliffy | gliffy | 1.0.1 | |
| gliffy | gliffy | 2.0.0 | |
| gliffy | gliffy | 2.0.1 | |
| gliffy | gliffy | 2.1.0 | |
| gliffy | gliffy | 2.1.1 | |
| gliffy | gliffy | 2.1.2 | |
| gliffy | gliffy | 2.1.3 | |
| gliffy | gliffy | 2.2.0 | |
| gliffy | gliffy | 2.2.1 | |
| gliffy | gliffy | 2.2.2 | |
| gliffy | gliffy | 3.0.0 | |
| gliffy | gliffy | 3.0.1 | |
| gliffy | gliffy | 3.0.2 | |
| gliffy | gliffy | 3.0.3 | |
| gliffy | gliffy | 3.0.4 | |
| gliffy | gliffy | 3.0.5 | |
| gliffy | gliffy | 3.1.0 | |
| gliffy | gliffy | 3.1.1 | |
| gliffy | gliffy | 3.1.2 | |
| gliffy | gliffy | 3.1.3 | |
| gliffy | gliffy | 3.1.4 | |
| gliffy | gliffy | 3.5 | |
| gliffy | gliffy | 3.5.2 | |
| gliffy | gliffy | 3.6 | |
| gliffy | gliffy | 3.6.1 | |
| atlassian | confluence_server | 4.1.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gliffy:gliffy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "704F51BA-F57D-472A-8EE1-C379707862D1",
"versionEndIncluding": "3.7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "070964FD-C020-4FE3-8CCA-636BFA61097C",
"versionEndIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gliffy:gliffy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "704F51BA-F57D-472A-8EE1-C379707862D1",
"versionEndIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED8E5BF-B56C-41DE-9D69-E162A5E3583D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C454A6FA-38A6-4D7C-BF0B-11AF44A149DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "628EF8B6-C02C-4E29-B211-A0BE32E07A02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "502FC1F6-DAD8-43D7-8284-FA069043BB1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "116447B6-9A17-4CB0-8A09-217E0091E455",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "426AA696-27C6-4F96-95E8-A321846EBBA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8592BF3C-4775-412D-9EAE-F9E9383E266A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA4EE594-46BB-4776-B59D-188D4A9A2FB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9B50AA29-33EA-4F80-828F-DCF78FEE96B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "497CA254-4BAA-439C-BF86-0F2EE436C446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E1978F-8C30-4253-9086-D439FCFCEC86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A31ADDF1-50C9-49B2-B4DF-9AF105CD0D31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B76A0BC1-7992-46A9-A840-6A35EB8EB465",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F9B9559A-0EA1-4D5B-9192-51920E38C42B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C8113F2E-24C7-4885-B15B-5348E1EF6544",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F72A3B15-5609-4A4F-A22C-196D9E627CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "35AF35E4-4E1E-4541-B21C-92E7D25D97E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "889DEB85-F871-42B5-8D4E-C523012166DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E8862D-C197-409D-9267-421443C818A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A94733F8-8546-4A65-BD1E-AC4E96FFA72B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "346A151B-0325-4147-B447-D6714B0DA9AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B6DDC9C9-E46A-4938-8A84-BF3C2B599753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2A32FE9D-3DD1-45A3-A4DA-B139FC4C9E16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "19C3CD54-D9E6-4728-89BD-DD7B24999B39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gliffy:gliffy:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "988E035E-3DCA-4FBF-BDBF-73E3E76B6ED2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5AE43247-03FB-47DE-B1AE-0B269CAFE973",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
},
{
"lang": "es",
"value": "El complemento Gliffy para Atlassian JIRA v3.7.1, y en version anteriores ala v4.2 para Atlassian Confluence, no restringe correctamente las capacidades de los analizadores XML de tercer nivel, lo que permite leer ficheros de su elecci\u00f3n o causar una denegaci\u00f3n de servicio (por excesivo consumo de recursos) a atacantes remotos a trav\u00e9s de vectores no especificados.\r\n"
}
],
"id": "CVE-2012-2928",
"lastModified": "2024-11-21T01:39:57.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-05-22T15:55:02.947",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/49166"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/49166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-29 06:15
Modified
2024-11-21 04:38
Severity ?
Summary
The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70882 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70882 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A5B1084-0838-4618-A0E0-C34E5A4DD438",
"versionEndExcluding": "7.13.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C66A32E0-AF2A-457D-8634-BC141F93EF97",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B04AEDB9-DA55-4EB4-A30E-1487A1E352EA",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD3FC6D0-18E4-4BF7-8DE2-3D03730A7AAF",
"versionEndExcluding": "7.13.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
},
{
"lang": "es",
"value": "La p\u00e1gina Convert Sub-Task to Issue en las versiones afectadas de Atlassian Jira Server y Data Center, permite a atacantes remotos enumerar la siguiente informaci\u00f3n por medio de una vulnerabilidad de autenticaci\u00f3n incorrecta: Workflow names; Project Key, si forma parte del nombre del flujo de trabajo; Issue Keys; Issue Types; Status Types Las versiones afectadas son anteriores a la versi\u00f3n 7.13.9 y desde la versi\u00f3n 8.0.0 anteriores a 8.4.2"
}
],
"id": "CVE-2019-20412",
"lastModified": "2024-11-21T04:38:25.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-29T06:15:10.843",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70882"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70882"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-09 20:15
Modified
2024-11-21 04:21
Severity ?
Summary
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69532 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69532 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"cisaActionDue": "2022-09-07",
"cisaExploitAdd": "2022-03-07",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F79F1C8E-F7AE-41FE-816D-5CAFA5DAC805",
"versionEndExcluding": "7.6.14",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0095C963-F6A6-4EBB-AB62-351620CD64CF",
"versionEndExcluding": "7.13.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C9C08B-DEB1-483E-94C9-350EECD6A6CC",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "143F3861-2510-4E03-8CAD-957F48578976",
"versionEndExcluding": "8.1.2",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B7A6A37-2ABE-445D-B36A-0A0FD536CB05",
"versionEndExcluding": "8.2.3",
"versionStartIncluding": "8.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
},
{
"lang": "es",
"value": "Se present\u00f3 una vulnerabilidad de inyecci\u00f3n de plantilla en el lado del servidor en Jira Server y Data Center, en las acciones ContactAdministrators y SendBulkMail. Un atacante puede ejecutar c\u00f3digo remotamente sobre sistemas que ejecutan una versi\u00f3n vulnerable de Jira Server o Data Center. Todas las versiones de Jira Server y Data Center desde 4.4.0 anteriores a 7.6.14, desde 7.7.0 anteriores a 7.13.5, desde 8.0.0 anteriores a 8.0.3, desde 8.1.0 anteriores a 8.1.2 y desde 8.2.0 anteriores a 8.2.3, est\u00e1n afectados por esta vulnerabilidad."
}
],
"id": "CVE-2019-11581",
"lastModified": "2024-11-21T04:21:22.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-09T20:15:11.270",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69532"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-07 23:15
Modified
2024-11-21 05:55
Severity ?
Summary
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72392 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72392 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F1FF4CB-8A5A-4C49-8BC7-EDA8E4F7F6F7",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CE50829-F749-42EC-8D92-11501465F30A",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC0E2882-4E42-49EA-B569-4AF7664A333B",
"versionEndExcluding": "8.16.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "736F4C0B-A3E6-42A3-88B8-745CDB55DB2B",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "753A6E31-7EAD-443E-8FC4-D01BB97844D7",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "703B1E15-8FC1-42F4-953D-0CF16829AB21",
"versionEndExcluding": "8.16.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "El componente number range searcher en Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versiones 8.6.0 anteriores a versiones 8.13.6, y desde versiones 8.14.0 versiones anteriores a 8.16.1 permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS)"
}
],
"id": "CVE-2021-26078",
"lastModified": "2024-11-21T05:55:49.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-07T23:15:08.057",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72392"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72392"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-15 00:15
Modified
2024-11-21 05:29
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72015 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72015 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC31C8A-7C3A-497D-8B93-186A4BB78177",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CD154306-6949-42B5-9147-07C4EAAF57E2",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54CAA007-B086-4422-AB45-35A561CCD894",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC0005F9-7748-4F24-927E-6789D415E0CD",
"versionEndExcluding": "8.15.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32E80E01-1812-429F-AD08-522DB458A4C9",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05C4820F-7C7D-4CE5-A93E-62283F6AB71F",
"versionEndExcluding": "8.15.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) en los endpoints ViewWorkflowSchemes.jspa y ListWorkflows.jspa.\u0026#xa0;Las versiones afectadas son anteriores a la versi\u00f3n 8.5.11, desde la versi\u00f3n 8.6.0 anteriores a 8.13.3 y desde la versi\u00f3n 8.14.0 anteriores a 8.15.0"
}
],
"id": "CVE-2020-36236",
"lastModified": "2024-11-21T05:29:07.233",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-15T00:15:12.497",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72015"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72015"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-13 18:29
Modified
2024-11-21 03:47
Severity ?
Summary
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-68527 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-68527 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFBB9997-A99A-419B-9A30-45F68E31874C",
"versionEndExcluding": "7.6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E36533-545A-4FF6-8C4B-9CA2DC97B2C6",
"versionEndIncluding": "7.8.4",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "47C69E0C-95F4-41AA-9A01-4BACA1AE0930",
"versionEndIncluding": "7.9.2",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "110A371D-86AF-4967-BA78-D4407E4553E7",
"versionEndIncluding": "7.10.2",
"versionStartIncluding": "7.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "551A5667-1184-4E3D-9AA7-90C8D18590C3",
"versionEndExcluding": "7.11.3",
"versionStartIncluding": "7.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "078CC169-BA97-4F89-A9AE-05E21FC867CA",
"versionEndExcluding": "7.12.3",
"versionStartIncluding": "7.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0A81285-A452-4AFE-94BE-3B27014535A3",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts \u0026 open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso VerifyPopServerConnection en Atlassian Jira, en versiones anteriores a la 7.6.10, desde la versi\u00f3n 7.7.0 antes de la 7.7.5, desde la versi\u00f3n 7.8.0 antes de la 7.8.5, desde la versi\u00f3n 7.9.0 antes de la 7.9.3, desde la versi\u00f3n 7.10.0 antes de la 7.10.3, desde la versi\u00f3n 7.11.0 antes de la 7.11.3, desde la versi\u00f3n 7.12.0 antes de la 7.12.3 y desde la versi\u00f3n 7.13.0 antes de la 7.13.1, permite que los atacantes remotos con derechos de administrador determinen la existencia de puertos abiertos en los hosts internos y, en algunos casos, obtengan informaci\u00f3n sensible de los recursos de la red interna mediante una vulnerabilidad Server-Side Request Forgery (SSRF)."
}
],
"id": "CVE-2018-13404",
"lastModified": "2024-11-21T03:47:02.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-13T18:29:00.417",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68527"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68527"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-13 01:15
Modified
2024-11-21 04:39
Severity ?
Summary
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70813 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70813 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1BD552E1-A564-434E-905A-380A9B1A090B",
"versionEndExcluding": "8.5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAB3622E-6AC3-4C75-8D92-EF4B956C0F23",
"versionEndExcluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B33CB54B-FA5E-4DD5-A356-4E01154131C8",
"versionEndExcluding": "8.7.1",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95F28857-CE0B-42DA-A310-25F6B65CA18A",
"versionEndExcluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E84692EC-8FF9-4776-B7F2-C248D77FEE7B",
"versionEndExcluding": "8.7.1",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9839F36-EBE8-4992-8AAA-234D352292AC",
"versionEndExcluding": "8.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
},
{
"lang": "es",
"value": "La funcionalidad avatar upload en las versiones afectadas de Atlassian Jira Server y Data Center permite a atacantes remotos lograr una Denegaci\u00f3n de Servicio por medio de un archivo PNG dise\u00f1ado. Las versiones afectadas son anteriores a versi\u00f3n 8.5.4, desde versi\u00f3n 8.6.0 anteriores a 8.6.2, y desde versi\u00f3n 8.7.0 anteriores a 8.7.1"
}
],
"id": "CVE-2019-20897",
"lastModified": "2024-11-21T04:39:38.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-13T01:15:11.213",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70813"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70813"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-12 04:15
Modified
2024-11-21 05:29
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71559 | Issue Tracking, Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71559 | Issue Tracking, Permissions Required, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A455FC63-AF29-4D31-8E11-AA5671D12E06",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA8144D6-FDAF-4B92-BE54-832893AC0A1E",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26055208-F18D-4FF9-A442-7DD62D80F7E7",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DF55918-44C7-4DC9-BD66-9FD9BA64A955",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a un usuario no autenticado enumerar usuarios a trav\u00e9s de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el endpoint QueryComponentRendererValue!Default.jspa. Las versiones afectadas son anteriores a la versi\u00f3n 8.5.13, desde la versi\u00f3n 8.6.0 antes de la 8.13.5, y desde la versi\u00f3n 8.14.0 antes de la 8.15.1"
}
],
"id": "CVE-2020-36289",
"lastModified": "2024-11-21T05:29:13.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-05-12T04:15:07.267",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Permissions Required",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71559"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Permissions Required",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71559"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 05:15
Modified
2024-11-21 06:26
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72813 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72813 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0827EA48-7527-40C3-B0EC-29FEA4912884",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61DF42E8-B67B-46AF-ACEE-135531D30240",
"versionEndExcluding": "8.13.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos visualizar los nombres de los proyectos y filtros privados por medio de una vulnerabilidad Insecure Direct Object References (IDOR) en el Average Number of Times in Status Gadget. Las versiones afectadas son anteriores a la versi\u00f3n 8.13.12"
}
],
"id": "CVE-2021-41305",
"lastModified": "2024-11-21T06:26:00.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-10-26T05:15:07.350",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72813"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72813"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:32
Severity ?
Summary
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71114 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71114 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "385624FB-6801-4B2D-A41D-4435AB2DC2F7",
"versionEndExcluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF1BD2D7-E2F8-4603-858C-D04267E88E28",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74AEEBB1-3786-457D-891D-926DB7A4FDBB",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3477C08-4DDF-4B4C-B90F-A4897A76BAF5",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29550345-AC18-4BA4-9632-7750F21CCD58",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CED0E35-40ED-4D46-8121-4F1AA9D23EAE",
"versionEndExcluding": "8.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
},
{
"lang": "es",
"value": "El recurso de descarga de archivos adjuntos en Atlassian Jira Server y Data Center. El recurso de descarga de archivos adjuntos en Atlassian Jira Server y Data Center versiones anteriores a 8.5.5, y desde versiones 8.6.0 anteriores a 8.8.2, y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) que emite archivos adjuntos con un tipo de contenido rdf"
}
],
"id": "CVE-2020-4025",
"lastModified": "2024-11-21T05:32:10.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:12.257",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71114"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71114"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-07 23:15
Modified
2024-11-21 05:55
Severity ?
Summary
The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72396 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72396 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C5A1972-3E92-42F1-AC31-5F76465EB8A4",
"versionEndExcluding": "8.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D055246-2C6E-4EE9-813A-DAB8DD30568C",
"versionEndExcluding": "8.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D9B23D-DFC8-46E5-B965-3053C7491D86",
"versionEndExcluding": "8.13.7",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B9DCF77-9D9D-4988-BEF3-14C9DAA43814",
"versionEndExcluding": "8.17.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85AF3918-2011-43B9-97C3-170FF025A1B8",
"versionEndExcluding": "8.13.7",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4443C11-BA88-411E-81D2-3D4A57B3F43F",
"versionEndExcluding": "8.17.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "El componente CardLayoutConfigTable en Jira Server y Jira Data Center versiones anteriores a 8.5.15, y desde versiones 8.6.0 anteriores a versiones 8.13.7, y desde versiones 8.14.0v anteriores a 8.17.0, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS)"
}
],
"id": "CVE-2021-26079",
"lastModified": "2024-11-21T05:55:49.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-07T23:15:08.097",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72396"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-12 14:29
Modified
2024-11-21 03:17
Severity ?
Summary
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102506 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66622 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102506 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66622 | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F620E90-A343-43FF-920C-EE0613D0B9EF",
"versionEndExcluding": "7.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the \"incoming mail\" whitelist setting via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso IncomingMailServers en Atlassian Jira, en versiones anteriores a la 7.6.2, permite que atacantes remotos modifiquen la configuraci\u00f3n de lista blanca \"incoming mail\" mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-16862",
"lastModified": "2024-11-21T03:17:07.340",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-12T14:29:00.617",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102506"
},
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66622"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-24 13:29
Modified
2024-11-21 03:19
Severity ?
Summary
The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-59980 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-59980 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F0C2FA0-B59B-441B-B6EC-5A0D79491FBE",
"versionEndExcluding": "7.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5FD7431-491B-4B69-8084-169989C45ABB",
"versionEndExcluding": "7.11.0",
"versionStartIncluding": "7.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query."
},
{
"lang": "es",
"value": "El componente Webhooks en Atlassian Jira, en versiones anteriores a la 7.6.7 y desde la versi\u00f3n 7.7.0 hasta la 7.11.0, permite que atacantes remotos que puedan observar o interceptar eventos webhook aprendan informaci\u00f3n sobre cambios en problemas que no deber\u00edan ser enviados, puesto que no est\u00e1n incluidos en los resultados de una consulta JQL especificada."
}
],
"id": "CVE-2017-18104",
"lastModified": "2024-11-21T03:19:22.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-24T13:29:00.230",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-59980"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-59980"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-15 00:15
Modified
2024-11-21 05:55
Severity ?
Summary
The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72252 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72252 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09C2E603-3885-467B-8720-DF14A23075C4",
"versionEndExcluding": "8.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4EEB38-868D-4E69-80A7-899BD9323B3A",
"versionEndExcluding": "8.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46468A73-9066-4ADA-BF9A-0DDF3EE9F69E",
"versionEndExcluding": "8.13.4",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BE06262-0589-4549-A3F2-6AA02A2E346D",
"versionEndExcluding": "8.13.4",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https."
},
{
"lang": "es",
"value": "La cookie jira.editor.user.mode ajustada por Jira Editor Plugin en Jira Server y Data Center versiones anteriores a 8.5.12, desde versi\u00f3n 8.6.0 versiones anteriores a 8.13.4 y desde versi\u00f3n 8.14.0 versiones anteriores a 8.15.0, permite a atacantes an\u00f3nimos remotos poder llevar a cabo un ataque de tipo attacker in the middle para saber en qu\u00e9 modo est\u00e1 editando un usuario debido a que la cookie no est\u00e1 ajustada con un atributo seguro si Jira estaba configurado para usar https"
}
],
"id": "CVE-2021-26076",
"lastModified": "2024-11-21T05:55:49.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-15T00:15:12.983",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72252"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72252"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-08 02:15
Modified
2024-11-21 06:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72293 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72293 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A455FC63-AF29-4D31-8E11-AA5671D12E06",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA8144D6-FDAF-4B92-BE54-832893AC0A1E",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26055208-F18D-4FF9-A442-7DD62D80F7E7",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DF55918-44C7-4DC9-BD66-9FD9BA64A955",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users\u0027 emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos visualizar los correos electr\u00f3nicos de los usuarios por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el endpoint /rest/api/2/search. Las versiones afectadas son anteriores a versi\u00f3n 8.5.13, desde versi\u00f3n 8.6.0 anteriores a 8.13.5, y desde versi\u00f3n 8.14.0 anteriores a 8.15.1"
}
],
"id": "CVE-2021-39122",
"lastModified": "2024-11-21T06:18:37.557",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-09-08T02:15:06.787",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72293"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72293"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-23 14:15
Modified
2024-11-21 04:21
Severity ?
Summary
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69785 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69785 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76FE371E-3000-464E-ADEE-033BF2989429",
"versionEndExcluding": "8.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority."
},
{
"lang": "es",
"value": "El recurso MigratePriorityScheme en Jira antes de la versi\u00f3n 8.3.2 permite a los atacantes remotos inyectar HTML o JavaScript arbitrario a trav\u00e9s de una vulnerabilidad de scripting entre sitios (XSS) en la url del icono de prioridad de una prioridad de problema."
}
],
"id": "CVE-2019-11584",
"lastModified": "2024-11-21T04:21:23.317",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-23T14:15:10.843",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69785"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69785"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-03 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70940 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70940 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira | * | |
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A68F00F2-4904-43E2-927B-6F87F1920441",
"versionEndExcluding": "7.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADF7E191-98D2-4AFB-8461-22AF00D6F6BE",
"versionEndExcluding": "8.5.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "822194D3-9916-4FD9-B002-E97E2DC9ECC5",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0115956-8FAF-4F20-890D-159045619AF5",
"versionEndExcluding": "7.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9869E340-2D03-424D-B885-7EF63C1D4759",
"versionEndExcluding": "8.5.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F0F76C-B351-4661-A7A5-04097A1C1129",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1."
},
{
"lang": "es",
"value": "Este problema se presenta para documentar que se ha implementado una mejora de seguridad en la forma en que Jira Server and Data Center utilizan las plantillas de velocidad. La forma en que las plantillas de velocidad se utilizaban en el Atlassian Jira Server and Data Center en las versiones afectadas permiti\u00f3 a los atacantes remotos lograr la ejecuci\u00f3n remota de c\u00f3digo mediante la deserializaci\u00f3n insegura, si eran capaces de explotar una vulnerabilidad de inyecci\u00f3n de plantillas en el lado del servidor. Las versiones afectadas son anteriores a la versi\u00f3n 7.13.0, a partir de la versi\u00f3n 8.0.0 anterior a la 8.5.0, y a partir de la versi\u00f3n 8.6.0 anterior a la 8.8.1."
}
],
"id": "CVE-2020-14172",
"lastModified": "2024-11-21T05:02:47.757",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-03T02:15:10.580",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70940"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70940"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-06-08 19:30
Modified
2024-11-21 00:57
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Enterprise Edition 3.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13:*:enterprise:*:*:*:*:*",
"matchCriteriaId": "7ECA8B69-B096-4011-8CC2-0261F95EC6DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Enterprise Edition 3.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados(CSRF) en JIRA Enterprise Edition v3.13 de Atlassian permite a usuarios remotos secuestrar la autenticaci\u00f3n de usuarios sin especificar a trav\u00e9s de vectores de ataque desconocidos. NOTA: el origen de esta informaci\u00f3n es desconocido; algunos detalles han sido obtenidos exclusivamente de infomraci\u00f3n de terceras partes.\r\n"
}
],
"id": "CVE-2008-6832",
"lastModified": "2024-11-21T00:57:34.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-06-08T19:30:00.313",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/49417"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32113"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31967"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46169"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/49417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46169"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-12 14:29
Modified
2024-11-21 03:17
Severity ?
Summary
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102505 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66624 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102505 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66624 | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EDD6DC6B-5B0E-4408-BDD4-308576F382D7",
"versionEndExcluding": "7.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter."
},
{
"lang": "es",
"value": "El recurso issue search en Atlassian Jira, en versiones anteriores a la 7.4.2, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el par\u00e1metro orderby."
}
],
"id": "CVE-2017-16864",
"lastModified": "2024-11-21T03:17:07.583",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-12T14:29:00.790",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102505"
},
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66624"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-23 13:29
Modified
2024-11-21 03:47
Severity ?
Summary
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/105751 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-68140 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105751 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-68140 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "25E9DDE1-F33F-4F65-A521-807D4F09C0AE",
"versionEndExcluding": "7.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
"versionEndExcluding": "7.9.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C568973F-5079-49ED-928D-7F11C842CF4B",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "551A5667-1184-4E3D-9AA7-90C8D18590C3",
"versionEndExcluding": "7.11.3",
"versionStartIncluding": "7.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "078CC169-BA97-4F89-A9AE-05E21FC867CA",
"versionEndExcluding": "7.12.3",
"versionStartIncluding": "7.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0A81285-A452-4AFE-94BE-3B27014535A3",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
},
{
"lang": "es",
"value": "Muchos recursos en Atlassian Jira en versiones anteriores a la 7.6.9, desde la versi\u00f3n 7.7.0 anterior a la 7.7.5, desde la versi\u00f3n 7.8.0 anterior a la 7.8.5, desde la versi\u00f3n 7.9.0 anterior a la 7.9.3, desde la versi\u00f3n 7.10.0 anterior a la 7.10.3, desde la versi\u00f3n 7.11.0 anterior a la 7.11.3, desde la versi\u00f3n 7.12.0 anterior a la 7.12.3 y antes de la versi\u00f3n 7.13.1 permiten que atacantes remotos ataquen a usuarios y, en algunos casos, obtengan el token Cross-Site Request Forgery (CSRF) de un usuario a trav\u00e9s de una vulnerabilidad de redirecci\u00f3n abierta."
}
],
"id": "CVE-2018-13402",
"lastModified": "2024-11-21T03:47:02.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-23T13:29:03.117",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-15 00:15
Modified
2024-11-21 05:29
Severity ?
Summary
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72115 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72115 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09C2E603-3885-467B-8720-DF14A23075C4",
"versionEndExcluding": "8.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4EEB38-868D-4E69-80A7-899BD9323B3A",
"versionEndExcluding": "8.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46468A73-9066-4ADA-BF9A-0DDF3EE9F69E",
"versionEndExcluding": "8.13.4",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BE06262-0589-4549-A3F2-6AA02A2E346D",
"versionEndExcluding": "8.13.4",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution."
},
{
"lang": "es",
"value": "La visualizaci\u00f3n de b\u00fasqueda y navegaci\u00f3n de problemas en Jira Server y Data Center versiones anteriores a 8.5.12, desde versi\u00f3n 8.6.0 versiones anteriores a 8.13.4 y desde versi\u00f3n 8.14.0 versiones anteriores a 8.15.1, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de Cross-Site Scripting (XSS) DOM causada por el par\u00e1metro pollution"
}
],
"id": "CVE-2020-36288",
"lastModified": "2024-11-21T05:29:13.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-15T00:15:12.560",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72115"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72115"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-03 23:46
Modified
2024-11-21 00:40
Severity ?
Summary
JIRA Enterprise Edition before 3.12.1 allows remote attackers to delete another user's shared filter via a modified filter ID.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:enterprise:*:*:*:*:*",
"matchCriteriaId": "204318E0-AA2F-4DCD-9CCE-73A2F2DD838D",
"versionEndIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JIRA Enterprise Edition before 3.12.1 allows remote attackers to delete another user\u0027s shared filter via a modified filter ID."
},
{
"lang": "es",
"value": "JIRA Enterprise Edition anterior a 3.12.1 permite a atacantes remotos borrar filtros compartidos de otros usuarios mediante un identificador de filtro modificado."
}
],
"id": "CVE-2007-6618",
"lastModified": "2024-11-21T00:40:36.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-01-03T23:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/42769"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27954"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27095"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/42769"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27954"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27095"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-22 18:29
Modified
2024-11-21 04:42
Severity ?
Summary
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69242 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69242 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAAD6CB-BAF7-4FE4-BB84-F7614F28AEEB",
"versionEndExcluding": "7.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2468233-97B0-4673-A2EA-5787CFD56097",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2806E160-A601-4276-A3F2-8F73DA3AE3E0",
"versionEndExcluding": "8.1.1",
"versionStartIncluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check."
},
{
"lang": "es",
"value": "The /rest/api/2/user/picker rest resource en Jira antes de la versi\u00f3n 7.13.3, desde la versi\u00f3n 8.0.0 antes versi\u00f3n 8.0.4, y desde versi\u00f3n 8.1.0 antes de la versi\u00f3n 8.1.1, permite a los atacantes remotos enumerar los nombres de usuario mediante una comprobaci\u00f3n de autorizaci\u00f3n incorrecta."
}
],
"id": "CVE-2019-3403",
"lastModified": "2024-11-21T04:42:02.360",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-22T18:29:00.833",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69242"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-22 05:15
Modified
2024-11-21 05:55
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72010 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72010 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2823995C-7B02-4318-8B9D-3F9659F2B0CB",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23CA57C4-72B6-465C-8EC1-0C00A9A67877",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC31C8A-7C3A-497D-8B93-186A4BB78177",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BEF44ED6-2346-4FF8-8AFF-67A4E3BFF69D",
"versionEndExcluding": "8.15.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54CAA007-B086-4422-AB45-35A561CCD894",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC0005F9-7748-4F24-927E-6789D415E0CD",
"versionEndExcluding": "8.15.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
},
{
"lang": "es",
"value": "Versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos no autenticados descargar archivos temporales y enumerar claves de proyectos por medio de una vulnerabilidad de Divulgaci\u00f3n de Informaci\u00f3n en el endpoint de la API /rest/api/1.0/issues/{id}/ActionsAndOperations.\u0026#xa0;Las versiones afectadas son anteriores a 8.5.11, desde versi\u00f3n 8.6.0 anteriores a 8.13.3 y desde versi\u00f3n 8.14.0 anteriores a 8.15.0"
}
],
"id": "CVE-2021-26069",
"lastModified": "2024-11-21T05:55:48.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-22T05:15:12.057",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72010"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-08-20 14:55
Modified
2024-11-21 01:57
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/DeleteUser!default.jspa.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF771D-2F06-4806-A529-72E20A10BE77",
"versionEndIncluding": "6.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B83446EB-1A2B-4803-9D2A-DBF37A99C96C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F5989726-B934-4FF1-AB54-7DC77AC2C6EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D910A750-B5AB-48F1-9A33-0895901E0522",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CCBB6BD7-5A95-4A8C-9965-F07A29C85AEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/DeleteUser!default.jspa."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en secure/admin/user/views/deleteuserconfirm.jspen el panel de administraci\u00f3n de Atlassian JIRA anterior a 6.0.5, permite a atacantes remotos inyectar secuencias arbitrarias de comandos web o HTML a trav\u00e9s del par\u00e1metro \"name\" en secure/admin/user/DeleteUser!default.jspa."
}
],
"id": "CVE-2013-5319",
"lastModified": "2024-11-21T01:57:18.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-08-20T14:55:47.040",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://cxsecurity.com/issue/WLB-2013080065"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/122721"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54417"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/61647"
},
{
"source": "cve@mitre.org",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php"
},
{
"source": "cve@mitre.org",
"url": "https://jira.atlassian.com/browse/JRA/fixforversion/33790"
},
{
"source": "cve@mitre.org",
"url": "https://jira.atlassian.com/i#browse/JRA-34160"
},
{
"source": "cve@mitre.org",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=33790"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://cxsecurity.com/issue/WLB-2013080065"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/122721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/61647"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/browse/JRA/fixforversion/33790"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/i#browse/JRA-34160"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=33790"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-09 13:16
Modified
2024-11-21 02:06
Severity ?
Summary
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF771D-2F06-4806-A529-72E20A10BE77",
"versionEndIncluding": "6.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B83446EB-1A2B-4803-9D2A-DBF37A99C96C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F5989726-B934-4FF1-AB54-7DC77AC2C6EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D910A750-B5AB-48F1-9A33-0895901E0522",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CCBB6BD7-5A95-4A8C-9965-F07A29C85AEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en el plugin Importers en Atlassian JIRA anterior a 6.0.5 permite a atacantes remotos crear archivos arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"evaluatorSolution": "Per: https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26\n\n\"Issue 2: Path traversal in JIRA Importers plugin (Windows only)\"",
"id": "CVE-2014-2313",
"lastModified": "2024-11-21T02:06:03.200",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-09T13:16:57.117",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 04:38
Severity ?
Summary
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71204 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71204 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2980D0AC-F4B7-4DC0-BB0E-64C0138A78C7",
"versionEndExcluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class."
},
{
"lang": "es",
"value": "El recurso /plugins/servlet/gadgets/makeRequest en Jira versiones anteriores a 8.7.0, permite a atacantes remotos acceder al contenido de los recursos de la red interna por medio de una vulnerabilidad de tipo Server Side Request Forgery (SSRF) debido a un bug l\u00f3gico en la clase JiraWhitelist"
}
],
"id": "CVE-2019-20408",
"lastModified": "2024-11-21T04:38:24.687",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:11.583",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71204"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-06-08 19:30
Modified
2024-11-21 00:57
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka "Add Comment").
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13:*:enterprise:*:*:*:*:*",
"matchCriteriaId": "7ECA8B69-B096-4011-8CC2-0261F95EC6DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka \"Add Comment\")."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en JIRA Enterprise Edition v3.13 de Atlassian permiten a usuarios remotos inyectar codigo web script o c\u00f3digo HTML a trav\u00e9s de (1) el par\u00e1metro \"fullname\" (nombre completo) en la p\u00e1gina \"ViewProfile\" (ver perfil) o (2) el par\u00e1metro returnUrl en un formulario, como se ha demostrado usando secure/AddComment!default.jspa (a\u00f1adir comentario)."
}
],
"id": "CVE-2008-6831",
"lastModified": "2024-11-21T00:57:34.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-06-08T19:30:00.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/49415"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/49416"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32113"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31967"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46167"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/49415"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/49416"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46167"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46168"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-22 18:29
Modified
2024-11-21 04:42
Severity ?
Summary
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69244 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69244 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAAD6CB-BAF7-4FE4-BB84-F7614F28AEEB",
"versionEndExcluding": "7.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6E81B95-7F2A-4347-A865-703EE11516DC",
"versionEndExcluding": "8.1.1",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check."
},
{
"lang": "es",
"value": "ManageFilters.jspa resource in Jira antes versi\u00f3n 7.13.3 y desde versi\u00f3n 8.0.0 antes versi\u00f3n 8.1.1, permite a los atacantes remotos enumerar los nombres de usuario mediante una comprobaci\u00f3n de autorizaci\u00f3n incorrecta."
}
],
"id": "CVE-2019-3401",
"lastModified": "2024-11-21T04:42:02.147",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-22T18:29:00.740",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69244"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-13 01:15
Modified
2024-11-21 04:39
Severity ?
Summary
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70808 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70808 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1BD552E1-A564-434E-905A-380A9B1A090B",
"versionEndExcluding": "8.5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DEE45D0-B55A-4A06-BAF0-18A7E3D26DE4",
"versionEndExcluding": "8.6.1",
"versionStartIncluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1BE966-205E-4CA3-A799-8B1754D10B27",
"versionEndExcluding": "8.7.0",
"versionStartIncluding": "8.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02D4E59C-FFFF-4545-A5A1-DA5DB091B846",
"versionEndExcluding": "8.6.1",
"versionStartIncluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1884A441-8487-40FF-AEE3-E025670C0723",
"versionEndExcluding": "8.7.0",
"versionStartIncluding": "8.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9839F36-EBE8-4992-8AAA-234D352292AC",
"versionEndExcluding": "8.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
},
{
"lang": "es",
"value": "La API Gadget en Atlassian Jira Server y Data Center en las versiones afectadas permite a atacantes remotos hacer que Jira no responda por medio de peticiones repetidas a un determinado endpoint en la API Gadget. Las versiones afectadas son anteriores a versi\u00f3n 8.5.4 y desde versi\u00f3n 8.6.0 anteriores a 8.6.1"
}
],
"id": "CVE-2019-20899",
"lastModified": "2024-11-21T04:39:38.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-13T01:15:13.433",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70808"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70808"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-01 03:15
Modified
2024-11-21 05:29
Severity ?
Summary
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72249 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72249 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A455FC63-AF29-4D31-8E11-AA5671D12E06",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA8144D6-FDAF-4B92-BE54-832893AC0A1E",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26055208-F18D-4FF9-A442-7DD62D80F7E7",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DF55918-44C7-4DC9-BD66-9FD9BA64A955",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check."
},
{
"lang": "es",
"value": "El recurso /rest/api/1.0/render en Jira Server y Data Center anterior a versi\u00f3n 8.5.13, desde versi\u00f3n 8.6.0 anterior a versi\u00f3n 8.13.5 y desde versi\u00f3n 8.14.0 anterior a versi\u00f3n 8.15.1, permite a atacantes an\u00f3nimos remotos determinar si un nombre de usuario es v\u00e1lido o no mediante una falta de comprobaci\u00f3n de permisos."
}
],
"id": "CVE-2020-36238",
"lastModified": "2024-11-21T05:29:07.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-01T03:15:13.820",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-10 13:29
Modified
2024-11-21 03:19
Severity ?
Summary
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103729 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67106 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103729 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67106 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F712C14-2DA8-46BB-9070-3507C84148A4",
"versionEndExcluding": "7.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters."
},
{
"lang": "es",
"value": "El gadget agile wallboard en Atlassian Jira, en versiones anteriores a la 7.8.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad de Cross-Site Scripting (XSS) en el nombre de los filtros r\u00e1pidos."
}
],
"id": "CVE-2017-18100",
"lastModified": "2024-11-21T03:19:21.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-10T13:29:00.323",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103729"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67106"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 05:15
Modified
2024-11-21 06:26
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72916 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72916 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0827EA48-7527-40C3-B0EC-29FEA4912884",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D500158B-4083-4D29-89E8-17A6EA8FAFD1",
"versionEndExcluding": "8.20.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61DF42E8-B67B-46AF-ACEE-135531D30240",
"versionEndExcluding": "8.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7066870B-8DCE-40ED-8C08-96F7A31C719C",
"versionEndExcluding": "8.20.0",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos no autenticados visualizar los nombres de los proyectos privados y los filtros privados por medio de una vulnerabilidad Insecure Direct Object References (IDOR) en el Gadget Workload Pie Chart. Las versiones afectadas son anteriores a la versi\u00f3n 8.13.12, y desde versi\u00f3n 8.14.0 hasta 8.20.0"
}
],
"id": "CVE-2021-41307",
"lastModified": "2024-11-21T06:26:00.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-10-26T05:15:07.437",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72916"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-21 03:15
Modified
2024-11-21 06:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72003 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72003 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2324F010-76F2-43D3-96C0-BD9150B7E652",
"versionEndExcluding": "8.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "382C231B-EC03-4D82-B215-402321C813E3",
"versionEndExcluding": "8.13.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E4D5E0B-A456-4C6C-9AB5-A6E5645677C9",
"versionEndExcluding": "8.13.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E92AC75-73E1-402C-9DCF-4A1B25CB999F",
"versionEndExcluding": "8.5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
},
{
"lang": "es",
"value": "Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos al componente de consulta JQL endpoint por medio de una vulnerabilidad de Control de Acceso Roto (BAC). Las versiones afectadas son anteriores a la versi\u00f3n 8.5.10, y desde la versi\u00f3n 8.6.0 hasta 8.13.1"
}
],
"id": "CVE-2021-39127",
"lastModified": "2024-11-21T06:18:38.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-10-21T03:15:07.177",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72003"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-10 13:29
Modified
2024-11-21 03:19
Severity ?
Summary
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3517B751-F490-40D0-9612-F64511DA1D81",
"versionEndExcluding": "7.6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0281160-9946-46A0-A6FC-B63971CFDEA0",
"versionEndExcluding": "7.7.3",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBBB1C9A-EB14-4C67-8077-D97CEE12525F",
"versionEndExcluding": "7.8.3",
"versionStartIncluding": "7.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."
},
{
"lang": "es",
"value": "Varos recursos administrativos de importaci\u00f3n de sistema externo en Atlassian JIRA Server (incluyendo JIRA Core), en versiones anteriores a la 7.6.5, de la versi\u00f3n 7.7.0 antes de la 7.7.3, de la versi\u00f3n 7.8.0 anterior a la 7.8.3 y antes de la versi\u00f3n 7.9.0, permite que atacantes remotos ejecuten operaciones de importaci\u00f3n y determinen si existe un servicio interno a trav\u00e9s de la falta de comprobaci\u00f3n de permisos."
}
],
"id": "CVE-2017-18101",
"lastModified": "2024-11-21T03:19:21.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-10T13:29:00.383",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/103730"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/bid/103730"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67107"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-23 13:15
Modified
2024-11-21 05:32
Severity ?
Summary
Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71175 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71175 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9273B156-C63F-4A8F-97E0-7D0C60D4C242",
"versionEndExcluding": "8.9.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A666CC22-7A71-41FB-9477-2DD4A0326A35",
"versionEndExcluding": "8.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
},
{
"lang": "es",
"value": "En versiones anteriores a 8.9.1, varios recursos en Jira respondieron con un 404 en lugar de redireccionar a los usuarios no autenticados a la p\u00e1gina de inicio de sesi\u00f3n, en algunas situaciones esto puede haber permitido que atacantes no autorizados determinen si existen ciertos recursos o no por medio de una vulnerabilidad de Divulgaci\u00f3n de Informaci\u00f3n"
}
],
"id": "CVE-2020-4028",
"lastModified": "2024-11-21T05:32:10.957",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-23T13:15:17.760",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71175"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-04-20 15:30
Modified
2024-11-21 01:13
Severity ?
Summary
Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | 3.12 | |
| atlassian | jira | 3.12.1 | |
| atlassian | jira | 3.12.2 | |
| atlassian | jira | 3.12.3 | |
| atlassian | jira | 3.13 | |
| atlassian | jira | 3.13.1 | |
| atlassian | jira | 3.13.2 | |
| atlassian | jira | 3.13.3 | |
| atlassian | jira | 3.13.4 | |
| atlassian | jira | 3.13.5 | |
| atlassian | jira | 4.0 | |
| atlassian | jira | 4.0.1 | |
| atlassian | jira | 4.0.2 | |
| atlassian | jira | 4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DEA72E9E-ED89-4CD1-AF2F-3C2060E115FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "67D2DF18-C072-47EF-9F99-3FBC3BD0B46A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "618C3DD0-2AE2-4188-8BC2-69365594ADA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "49E76A26-4A32-4D17-AE09-DAA99AAA49D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "59835FFB-BB1C-4403-9CEC-DFC31F1A4D10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD7160D-BB0D-433A-8C7B-83BC311F53A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "74F52C0A-6567-4466-A20C-9BC457E56592",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.3:*:*:*:*:*:*:*",
"matchCriteriaId": "547EF015-960F-43DB-8985-8BE65B14230A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4931F747-FA7D-42BF-B71F-277EE38A29C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:3.13.5:*:*:*:*:*:*:*",
"matchCriteriaId": "856597BE-1407-4587-B591-BD8B5B097B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6039B692-0E90-428E-B953-D1F21AC48575",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EEED2354-51E8-4BF0-A07E-C70E14A8D79A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "86E22F6B-1CB8-4BAA-85EE-9B5FC4FD7635",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B07F838-5D36-4CEB-9579-3AB8BD67CCB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010."
},
{
"lang": "es",
"value": "Atlassian JIRA v3.12 hasta v4.1 permite a administradores autenticados remotamente ejecutar c\u00f3digo de su elecci\u00f3n modificando(1) adjuntos (como attachments), (2) \u00edndice (como indexing), o (3) ruta de guardado y luego subir un fichero, se explota activamente desde abril de 2010."
}
],
"id": "CVE-2010-1165",
"lastModified": "2024-11-21T01:13:47.000",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-04-20T15:30:00.553",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-20995"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/39353"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/39485"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57828"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-20995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://jira.atlassian.com/browse/JRA-21004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/39353"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/39485"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57828"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-01 03:15
Modified
2024-11-21 05:55
Severity ?
Summary
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72233 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72233 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A455FC63-AF29-4D31-8E11-AA5671D12E06",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA8144D6-FDAF-4B92-BE54-832893AC0A1E",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26055208-F18D-4FF9-A442-7DD62D80F7E7",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DF55918-44C7-4DC9-BD66-9FD9BA64A955",
"versionEndExcluding": "8.13.5",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584",
"versionEndExcluding": "8.15.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso SetFeatureEnabled.jspa en Jira Server y Data Center anterior a versi\u00f3n 8.5.13, desde versi\u00f3n 8.6.0 anterior a versi\u00f3n 8.13.5 y desde versi\u00f3n 8.14.0 anterior a versi\u00f3n 8.15.1, permite que atacantes an\u00f3nimos remotos habiliten y deshabiliten la configuraci\u00f3n de Jira Software a trav\u00e9s de una vulnerabilidad de tipo cross-site request forgery (CSRF)."
}
],
"id": "CVE-2021-26071",
"lastModified": "2024-11-21T05:55:48.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-01T03:15:14.150",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72233"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-14 05:15
Modified
2024-11-21 04:38
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://ecosystem.atlassian.net/browse/AW-20 | Issue Tracking, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72618 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ecosystem.atlassian.net/browse/AW-20 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72618 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | 8 | |
| atlassian | jira | * | |
| atlassian | jira | 8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09CBD196-0202-4A65-BC01-8DD009159343",
"versionEndExcluding": "8.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:8:14:0:*:*:*:*:*",
"matchCriteriaId": "75A45CB1-6D2C-4AEB-8C9A-830B92395052",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "121B25D7-31B4-4A85-BA57-5FE0DE58F4F4",
"versionEndExcluding": "8.13.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:8:14.0:*:*:*:*:*:*",
"matchCriteriaId": "920C7B47-694F-46EF-8303-C4E13DF38C2F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/\u003cversion\u003e/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1."
},
{
"lang": "es",
"value": "Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos visualizar las reglas de la lista blanca por medio de una vulnerabilidad de Control de Acceso Roto en el endpoint /rest/whitelist/(versi\u00f3n)/check. Las versiones afectadas son anteriores a versi\u00f3n 8.13.3, y desde versi\u00f3n 8.14.0 hasta 8.14.1"
}
],
"id": "CVE-2019-20101",
"lastModified": "2024-11-21T04:38:03.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-09-14T05:15:07.437",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://ecosystem.atlassian.net/browse/AW-20"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72618"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://ecosystem.atlassian.net/browse/AW-20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72618"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-29 06:15
Modified
2024-11-21 04:38
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70881 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70881 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A5B1084-0838-4618-A0E0-C34E5A4DD438",
"versionEndExcluding": "7.13.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC3DCB0-D6DD-43E3-8E5C-5A205681C9C7",
"versionEndExcluding": "7.13.9",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C66A32E0-AF2A-457D-8634-BC141F93EF97",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B04AEDB9-DA55-4EB4-A30E-1487A1E352EA",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos modificar la configuraci\u00f3n de Wallboard por medio de una vulnerabilidad de tipo Cross-site request forgery (CSRF). Las versiones afectadas son anteriores a la versi\u00f3n 7.13.9 y desde la versi\u00f3n 8.0.0 anteriores a 8.4.2"
}
],
"id": "CVE-2019-20411",
"lastModified": "2024-11-21T04:38:25.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-29T06:15:10.780",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70881"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70881"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-20 04:15
Modified
2024-11-21 05:55
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72499 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72499 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F1FF4CB-8A5A-4C49-8BC7-EDA8E4F7F6F7",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "736F4C0B-A3E6-42A3-88B8-745CDB55DB2B",
"versionEndExcluding": "8.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "940CC48E-EC7D-42E1-838C-011D1C8CEF31",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA85B28C-6370-4D3A-A053-AEC6878971B4",
"versionEndExcluding": "8.16.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "753A6E31-7EAD-443E-8FC4-D01BB97844D7",
"versionEndExcluding": "8.13.6",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "703B1E15-8FC1-42F4-953D-0CF16829AB21",
"versionEndExcluding": "8.16.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint."
},
{
"lang": "es",
"value": "Una API REST en Atlassian Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versi\u00f3n 8.6.0 anteriores a 8.13.6, y desde versi\u00f3n 8.14.0 anteriores a 8.16.1, permite a atacantes remotos enumerar nombres de usuario por medio de una vulnerabilidad de Exposici\u00f3n de Datos Confidenciales en el endpoint \"/rest/api/latest/user/avatar/temporary\""
}
],
"id": "CVE-2021-26081",
"lastModified": "2024-11-21T05:55:50.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-07-20T04:15:09.683",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72499"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-14 05:15
Modified
2024-11-21 06:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72736 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72736 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4817E8F9-D9C6-452A-8411-BEB440F99060",
"versionEndExcluding": "8.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D878DF43-15BE-42D5-ACE1-DD0422FBE8ED",
"versionEndExcluding": "8.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0."
},
{
"lang": "es",
"value": "Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos detectar los nombres de usuario y los nombres completos de los usuarios por medio de una vulnerabilidad de enumeraci\u00f3n en el endpoint /rest/api/1.0/render. Las versiones afectadas son anteriores a versi\u00f3n 8.19.0"
}
],
"id": "CVE-2021-39118",
"lastModified": "2024-11-21T06:18:36.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-09-14T05:15:09.900",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72736"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72736"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-08-28 12:29
Modified
2024-11-21 03:47
Severity ?
Summary
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67848 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67848 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "852E5AC8-DEE0-4FC4-ADC3-D4B7D13DD405",
"versionEndExcluding": "7.6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
"versionEndExcluding": "7.9.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C568973F-5079-49ED-928D-7F11C842CF4B",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D18DD515-3135-46E4-A99F-0573882BB098",
"versionEndExcluding": "7.11.1",
"versionStartIncluding": "7.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
},
{
"lang": "es",
"value": "Varios recursos en Atlassian Jira en versiones anteriores a la 7.6.8, desde la versi\u00f3n 7.7.0 hasta antes de la 7.7.5, desde la versi\u00f3n 7.8.0 hasta antes de la 7.8.5, desde la versi\u00f3n 7.9.0 hasta antes de la 7.9.3, desde la versi\u00f3n 7.10.0 hasta antes de la 7.10.3 y antes de la versi\u00f3n 7.11.1 permiten que atacantes remotos inyecten C\u00f3digo HTML o JavaScript arbitrario mediante una vulnerabilidad de Cross-Site Scripting (XSS) en el campo epic colour de un problema mientras se est\u00e1 moviendo un problema."
}
],
"id": "CVE-2018-13395",
"lastModified": "2024-11-21T03:47:01.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-28T12:29:00.353",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67848"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67848"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103086 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66719 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103086 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66719 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4407A5F-4FE9-4C90-9681-2B950EE3C590",
"versionEndExcluding": "7.4.4",
"versionStartIncluding": "6.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter."
},
{
"lang": "es",
"value": "El recurso IncomingMailServers en Atlassian Jira desde la versi\u00f3n 6.2.1 hasta antes de la versi\u00f3n 7.4.4 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) en el par\u00e1metro messagesThreshold."
}
],
"id": "CVE-2017-18039",
"lastModified": "2024-11-21T03:19:13.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.827",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103086"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66719"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103086"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66719"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-16 13:29
Modified
2024-11-21 04:08
Severity ?
Summary
The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/104205 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67290 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/104205 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67290 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF1A112D-4024-4205-900D-BBFFABF01C7B",
"versionEndExcluding": "7.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A38A1E0B-95D0-409F-AE3C-A5725F4605FA",
"versionEndExcluding": "7.7.4",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EC68826-9A37-4903-A349-407510635825",
"versionEndExcluding": "7.8.4",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C219C9D-07EB-41ED-AE45-E18A366CA4FF",
"versionEndExcluding": "7.9.2",
"versionStartIncluding": "7.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it."
},
{
"lang": "es",
"value": "El recurso ForgotLoginDetails en Atlassian Jira en versiones anteriores a la 7.6.6, desde la versi\u00f3n 7.7.0 hasta la 7.7.4, desde la versi\u00f3n 7.8.0 hasta la 7.8.4 y desde la versi\u00f3n 7.9.0 hasta la 7.9.2 permite que atacantes remotos realicen un ataque de denegaci\u00f3n de servicio (DoS) mediante el env\u00edo de peticiones al mismo."
}
],
"id": "CVE-2018-5231",
"lastModified": "2024-11-21T04:08:23.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-16T13:29:00.517",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104205"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67290"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104205"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67290"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-13 05:15
Modified
2024-11-21 05:02
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71275 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71275 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | 8.10.0 | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | 8.10.0 | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB024412-F7F7-4F32-A14C-91997AE99B17",
"versionEndExcluding": "7.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F6F4D92-50B2-4834-9458-9D3FCB22E292",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E5D8F1-E892-4C7B-86E3-C3D71643D8E4",
"versionEndExcluding": "8.9.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:8.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D3F7A68-9FA8-429A-B060-FE6250AADFAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02038437-F649-42CD-AEF6-730862241452",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8433757-D455-458D-A82C-2C488FBDF58F",
"versionEndExcluding": "8.9.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:8.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6A1DE42A-2CAD-4681-8BB3-6BDA956A4D4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEC5C067-DF59-4387-8B1B-040E01150424",
"versionEndExcluding": "7.13.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos visualizar t\u00edtulos de un proyecto privado por medio de una vulnerabilidad de Referencia Directa a Objetos No Segura (IDOR) en el Administration Permission Helper. Las versiones afectadas son anteriores a versi\u00f3n 7.13.6, desde versi\u00f3n 8.0.0 anteriores a 8.5.7, desde versi\u00f3n 8.6.0 anteriores a 8.9.2 y desde versi\u00f3n 8.10.0 anteriores a 8.10.1"
}
],
"id": "CVE-2020-14174",
"lastModified": "2024-11-21T05:02:47.973",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-13T05:15:11.057",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71275"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-03 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70814 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70814 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1BD552E1-A564-434E-905A-380A9B1A090B",
"versionEndExcluding": "8.5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAB3622E-6AC3-4C75-8D92-EF4B956C0F23",
"versionEndExcluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B33CB54B-FA5E-4DD5-A356-4E01154131C8",
"versionEndExcluding": "8.7.1",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95F28857-CE0B-42DA-A310-25F6B65CA18A",
"versionEndExcluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E84692EC-8FF9-4776-B7F2-C248D77FEE7B",
"versionEndExcluding": "8.7.1",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9839F36-EBE8-4992-8AAA-234D352292AC",
"versionEndExcluding": "8.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
},
{
"lang": "es",
"value": "La funcionalidad file upload en Atlassian Jira Server y Data Center en las versiones afectadas, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS). Las versiones afectadas son las versiones anteriores a 8.5.4, desde la versi\u00f3n 8.6.0 anteriores a 8.6.2, y desde la versi\u00f3n 8.7.0 anteriores a 8.7.1"
}
],
"id": "CVE-2020-14173",
"lastModified": "2024-11-21T05:02:47.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-03T02:15:10.660",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70814"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 05:15
Modified
2024-11-21 06:26
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72940 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72940 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3F0ABD5-1124-4508-8F66-18F27B041CB6",
"versionEndExcluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7429FCC4-C94E-4757-BCF1-BE73814F247D",
"versionEndExcluding": "8.13.12",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B23960C-64BE-419D-855F-2F8EAB17327D",
"versionEndExcluding": "8.13.12",
"versionStartIncluding": "8.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1DF517-D59D-4BB7-98E5-83AC2D1A24E8",
"versionEndExcluding": "8.20.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A15DCC83-66F0-4495-AF87-3EBA4A295E2D",
"versionEndExcluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB294011-AB4E-4BC6-AB35-7E54C33B237C",
"versionEndExcluding": "8.20.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos autenticados pero no administradores editar la configuraci\u00f3n de la Replicaci\u00f3n de Archivos por medio de una vulnerabilidad de Control de Acceso Rotativo en el endpoint \"ReplicationSettings!default.jspa\". Las versiones afectadas son anteriores a la versi\u00f3n 8.6.0, desde la versi\u00f3n 8.7.0 anteriores a 8.13.12, y desde la versi\u00f3n 8.14.0 antes de la 8.20.1"
}
],
"id": "CVE-2021-41308",
"lastModified": "2024-11-21T06:26:01.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-26T05:15:07.477",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72940"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72940"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-15 00:15
Modified
2024-11-21 05:29
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71950 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71950 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7617188F-6779-44A5-8707-3B96B72DDF6E",
"versionEndExcluding": "8.13.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5814BDF-AF93-4440-AFEA-75AADFA95EA7",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1DABD8D-7907-4FEC-B264-AC4421F4122B",
"versionEndExcluding": "8.13.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF2F5ECC-3F28-4BEB-9ABD-19040D94BFA4",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos no autenticados visualizar campos personalizados y nombres de SLA personalizados por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en la vista mobile site.\u0026#xa0;Las versiones afectadas son anteriores a la versi\u00f3n 8.13.2 y desde la versi\u00f3n 8.14.0 anteriores a 8.14.1"
}
],
"id": "CVE-2020-36235",
"lastModified": "2024-11-21T05:29:07.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-15T00:15:12.433",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71950"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71950"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-30 07:15
Modified
2024-11-21 06:18
Severity ?
Summary
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72716 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72716 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0C08B4-0C82-44A7-97D8-8973C8C2D9C8",
"versionEndExcluding": "8.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E13B99D-D1D6-44A7-862D-4DC6A031BEB8",
"versionEndExcluding": "8.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FBAB634-1ABF-4D66-B08C-DBC34789ACCE",
"versionEndExcluding": "8.13.10",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F23B0961-C6E2-43E0-8F2C-855FA86275B5",
"versionEndExcluding": "8.18.2",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "023CF163-22AB-46BC-B254-6702BC68D475",
"versionEndExcluding": "8.13.10",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B5DC199-66DE-44AB-B32D-08DC7E9405BB",
"versionEndExcluding": "8.18.2",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field."
},
{
"lang": "es",
"value": "El plugin Editor en Atlassian Jira Server y Data Center versiones anteriores a 8.5.18, desde versiones 8.6.0 anteriores a 8.13.10, y desde versiones 8.14.0 anteriores a 8.18.2, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el manejo de contenido suministrado como de un PDF cuando se pega en un campo como description."
}
],
"id": "CVE-2021-39111",
"lastModified": "2024-11-21T06:18:35.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-30T07:15:06.687",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72716"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72716"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-26 16:15
Modified
2024-11-21 04:21
Severity ?
Summary
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/108901 | Third Party Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/JSWSERVER-20111 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/108901 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JSWSERVER-20111 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC192550-1B62-4EFB-BF31-D456AA740DF8",
"versionEndExcluding": "8.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by \"Epic Name\"."
},
{
"lang": "es",
"value": "El problema de componente de b\u00fasqueda en Jira anterior de la versi\u00f3n 8.1.0 permite que los atacantes remotos denieguen el acceso al servicio de Jira a trav\u00e9s de la vulnerabilidad de denegaci\u00f3n de servicio en la b\u00fasqueda de problemas al ordenar por \"EPIC NAME\"."
}
],
"id": "CVE-2019-11583",
"lastModified": "2024-11-21T04:21:23.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-26T16:15:09.770",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/108901"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSWSERVER-20111"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/108901"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSWSERVER-20111"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-03 20:29
Modified
2024-11-21 04:02
Severity ?
Summary
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69238 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69238 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39C81F58-0BEA-4F27-A204-733819997BD1",
"versionEndExcluding": "7.13.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter."
},
{
"lang": "es",
"value": "El recurso WallboardServlet en Jira en versiones anteriores a la 7.13.1 permite a los atacantes remotos inyectar HTML o JavaScript arbitrarios a trav\u00e9s de una vulnerabilidad XSS (Cross Site Scripting) en el par\u00e1metro cyclePeriod."
}
],
"id": "CVE-2018-20824",
"lastModified": "2024-11-21T04:02:15.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-03T20:29:00.310",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69238"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-23 14:15
Modified
2024-11-21 04:21
Severity ?
Summary
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69783 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69783 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83940834-60F6-4C58-9F17-FF2FFFAB5AF0",
"versionEndExcluding": "7.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F665F2DD-7C62-43CB-8FEB-2DB1521D8A87",
"versionEndExcluding": "8.2.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55DBB75B-F9FF-435E-B392-99F61ABBD6C5",
"versionEndExcluding": "8.3.2",
"versionStartIncluding": "8.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso AddResolution.jspa en Jira antes de la versi\u00f3n 7.13.6, desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.2.3, y desde la versi\u00f3n 8.3.0 antes de la versi\u00f3n 8.3.2 permite a los atacantes remotos crear nuevas resoluciones a trav\u00e9s de una falsificaci\u00f3n de solicitud entre sitios ( CSRF) vulnerabilidad."
}
],
"id": "CVE-2019-11586",
"lastModified": "2024-11-21T04:21:23.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-23T14:15:10.967",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69783"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69783"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-09 20:15
Modified
2024-11-21 04:02
Severity ?
Summary
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69239 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69239 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BD161BD-44D1-45F5-B3F5-53428C590F62",
"versionEndExcluding": "7.12.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check."
},
{
"lang": "es",
"value": "El recurso rest inline-create en Jira anterior a versi\u00f3n 7.12.3, permite a los atacantes remotos autenticados configurar al reportero en problemas por medio de una falta de comprobaci\u00f3n de autorizaci\u00f3n."
}
],
"id": "CVE-2018-20826",
"lastModified": "2024-11-21T04:02:16.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-09T20:15:10.927",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69239"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69239"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-09 20:15
Modified
2024-11-21 04:02
Severity ?
Summary
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69237 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-69237 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B19A6B4-9888-49FB-9C0C-3DCE61DE25BD",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter."
},
{
"lang": "es",
"value": "El gadget activity stream en Jira anterior a versi\u00f3n 7.13.1 permite a los atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS) en el par\u00e1metro country."
}
],
"id": "CVE-2018-20827",
"lastModified": "2024-11-21T04:02:16.137",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-09T20:15:10.987",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-69237"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-23 06:15
Modified
2024-11-21 04:38
Severity ?
Summary
The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70944 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70944 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299AC09B-2CB7-443A-B586-8574F99A4DB4",
"versionEndExcluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96DB3337-76C9-45AC-A51F-9927873A3785",
"versionEndExcluding": "8.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability."
},
{
"lang": "es",
"value": "La manera en que las plantillas de velocidad se usaron en Atlassian Jira Server y Data Center anteriores a la versi\u00f3n 8.8.0, permiti\u00f3 a atacantes remotos obtener una ejecuci\u00f3n de c\u00f3digo remota, si eran capaces de explotar una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor"
}
],
"id": "CVE-2019-20409",
"lastModified": "2024-11-21T04:38:24.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-23T06:15:11.527",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70944"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70944"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-03 23:46
Modified
2024-11-21 00:40
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in 500page.jsp in JIRA Enterprise Edition before 3.12.1 allows remote attackers to inject arbitrary web script or HTML, which is not properly handled when generating error messages, as demonstrated by input originally sent in the URI to secure/CreateIssue. NOTE: some of these details are obtained from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:enterprise:*:*:*:*:*",
"matchCriteriaId": "204318E0-AA2F-4DCD-9CCE-73A2F2DD838D",
"versionEndIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in 500page.jsp in JIRA Enterprise Edition before 3.12.1 allows remote attackers to inject arbitrary web script or HTML, which is not properly handled when generating error messages, as demonstrated by input originally sent in the URI to secure/CreateIssue. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en 500page.jsp de JIRA Enterprise Edition versiones anteriores a 3.12.1 permite a atacantes remotos inyectar scripts web o HTML de su elecci\u00f3n, que no son apropiadamente gestionado cuando se generan mensajes de error, como se demuestra con entradas originalmente enviadas en el URI a secure/CreateIssue.\r\nNOTA: algunos de estos detalles se han obtenido de informaci\u00f3n de terceros."
}
],
"id": "CVE-2007-6617",
"lastModified": "2024-11-21T00:40:36.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-01-03T23:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"source": "cve@mitre.org",
"url": "http://jira.atlassian.com/browse/CONF-9560"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/42768"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27954"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27094"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27095"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jira.atlassian.com/browse/CONF-9560"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/42768"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27954"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27095"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-10 03:59
Modified
2024-11-21 02:51
Severity ?
Summary
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7872ABB4-DE8C-4830-935A-920D15C647C0",
"versionEndIncluding": "7.1.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name."
},
{
"lang": "es",
"value": "Atlassian JIRA Server en versiones anteriores a 7.1.9 tiene XSS en project/ViewDefaultProjectRoleActors.jspa a trav\u00e9s de un nombre de funci\u00f3n."
}
],
"id": "CVE-2016-4318",
"lastModified": "2024-11-21T02:51:51.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-10T03:59:01.187",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97516"
},
{
"source": "cret@cert.org",
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"source": "cret@cert.org",
"url": "https://jira.atlassian.com/browse/JRA-61861"
},
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61861"
},
{
"source": "cret@cert.org",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/browse/JRA-61861"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-61861"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240\u0026version=62034"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-15 01:15
Modified
2024-11-21 05:24
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72000 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72000 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2823995C-7B02-4318-8B9D-3F9659F2B0CB",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23CA57C4-72B6-465C-8EC1-0C00A9A67877",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD26E1FA-D472-40ED-B8BC-876F2A7EF3FA",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC31C8A-7C3A-497D-8B93-186A4BB78177",
"versionEndExcluding": "8.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54CAA007-B086-4422-AB45-35A561CCD894",
"versionEndExcluding": "8.13.3",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5814BDF-AF93-4440-AFEA-75AADFA95EA7",
"versionEndExcluding": "8.14.1",
"versionStartIncluding": "8.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos enumerar proyectos de Jira por medio de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en la p\u00e1gina de reporte del plugin Jira Projects.\u0026#xa0;Las versiones afectadas son anteriores a la versi\u00f3n 8.5.11, desde la versi\u00f3n 8.6.0 anteriores a 8.13.3 y desde la versi\u00f3n 8.14.0 anteriores a 8.14.1"
}
],
"id": "CVE-2020-29451",
"lastModified": "2024-11-21T05:24:01.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-15T01:15:12.900",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72000"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72000"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-03 01:15
Modified
2024-11-21 04:38
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70943 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70943 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299AC09B-2CB7-443A-B586-8574F99A4DB4",
"versionEndExcluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96DB3337-76C9-45AC-A51F-9927873A3785",
"versionEndExcluding": "8.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos impedir que los usuarios accedan a la instancia por medio de una vulnerabilidad de Denegaci\u00f3n de Servicio de la Aplicaci\u00f3n en el endpoint /rendering/wiki. Las versiones afectadas son las versiones anteriores a 8.8.0"
}
],
"id": "CVE-2019-20418",
"lastModified": "2024-11-21T04:38:25.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-03T01:15:10.677",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70943"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70943"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:32
Severity ?
Summary
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71113 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71113 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "385624FB-6801-4B2D-A41D-4435AB2DC2F7",
"versionEndExcluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF1BD2D7-E2F8-4603-858C-D04267E88E28",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74AEEBB1-3786-457D-891D-926DB7A4FDBB",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3477C08-4DDF-4B4C-B90F-A4897A76BAF5",
"versionEndExcluding": "8.8.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29550345-AC18-4BA4-9632-7750F21CCD58",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CED0E35-40ED-4D46-8121-4F1AA9D23EAE",
"versionEndExcluding": "8.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
},
{
"lang": "es",
"value": "El recurso de descarga de archivos adjuntos en Atlassian Jira Server y Data Center versiones anteriores a 8.5.5, y desde versiones 8.6.0 anteriores a 8.8.2, y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) que emite archivos adjuntos con un tipo de contenido vnd.wap.xhtml+xml"
}
],
"id": "CVE-2020-4024",
"lastModified": "2024-11-21T05:32:10.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:12.193",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71113"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 23:15
Modified
2024-11-21 06:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72737 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72737 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4817E8F9-D9C6-452A-8411-BEB440F99060",
"versionEndExcluding": "8.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D878DF43-15BE-42D5-ACE1-DD0422FBE8ED",
"versionEndExcluding": "8.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center permiten a usuarios que han observado un problema sigan recibiendo actualizaciones sobre la misma incluso despu\u00e9s de que su cuenta de Jira sea revocada, por medio de una vulnerabilidad de Broken Access Control en la funcionalidad issue notification. Las versiones afectadas son anteriores a versi\u00f3n 8.19.0"
}
],
"id": "CVE-2021-39119",
"lastModified": "2024-11-21T06:18:37.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-09-01T23:15:07.480",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72737"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72737"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-13 05:15
Modified
2024-11-21 04:39
Severity ?
Summary
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70408 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70408 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | 8.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2766F5DA-DABE-4A12-9635-4F3E6DAE52FB",
"versionEndExcluding": "8.5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:8.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C6AD4A-3055-438D-A12F-947DA304896D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter."
},
{
"lang": "es",
"value": "El recurso login.jsp en Jira versiones anteriores a 8.5.2 y desde versi\u00f3n 8.6.0 anterior a versi\u00f3n 8.6.1, permite a atacantes remotos redireccionar a usuarios hacia un sitio web diferente que pueden usar como parte de un ataque de phishing por medio de un redireccionamiento abierto en el par\u00e1metro os_destination"
}
],
"id": "CVE-2019-20901",
"lastModified": "2024-11-21T04:39:39.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-13T05:15:10.947",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70408"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70408"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-14 07:15
Modified
2024-11-21 06:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72009 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-72009 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | data_center | * | |
| atlassian | data_center | * | |
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34891AF3-4619-4D5A-8F80-8AAC55B1799D",
"versionEndExcluding": "8.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB1A0309-39E0-4374-938A-8B4B6E47DD4B",
"versionEndExcluding": "8.13.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2324F010-76F2-43D3-96C0-BD9150B7E652",
"versionEndExcluding": "8.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E4D5E0B-A456-4C6C-9AB5-A6E5645677C9",
"versionEndExcluding": "8.13.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
},
{
"lang": "es",
"value": "Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos detectar los nombres de usuario de los usuarios por medio de una vulnerabilidad de enumeraci\u00f3n en la p\u00e1gina de restablecimiento de contrase\u00f1a. Las versiones afectadas son anteriores a versi\u00f3n 8.5.10, y desde versi\u00f3n 8.6.0 hasta 8.13.1"
}
],
"id": "CVE-2021-39125",
"lastModified": "2024-11-21T06:18:38.170",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-09-14T07:15:07.233",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72009"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-18 14:29
Modified
2024-11-21 04:08
Severity ?
Summary
The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-67410 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-67410 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F0C2FA0-B59B-441B-B6EC-5A0D79491FBE",
"versionEndExcluding": "7.6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D44339E-43F3-4097-8F1C-6CC59D2FB7CA",
"versionEndExcluding": "7.10.1",
"versionStartIncluding": "7.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter."
},
{
"lang": "es",
"value": "El recurso EditIssue.jspa en Atlassian Jira antes de la versi\u00f3n 7.6.7 y desde la versi\u00f3n 7.7.0 hasta la 7.10.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el par\u00e1metro issuetype."
}
],
"id": "CVE-2018-5232",
"lastModified": "2024-11-21T04:08:23.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-18T14:29:00.257",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-67410"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-17 14:29
Modified
2024-11-21 03:17
Severity ?
Summary
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66642 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66642 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F243B1-7B91-4254-8F09-A516329EE956",
"versionEndExcluding": "7.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
},
{
"lang": "es",
"value": "El importador Trello en Atlassian Jira, en versiones anteriores a la 7.6.1, permite que atacantes remotos accedan al contenido de recursos de red internos mediante Server Side Request Forgery (SSRF). Cuando se ejecuta en un entorno como Amazon EC2, este error puede emplearse para acceder a un recurso de metadatos que proporciona credenciales de acceso y otro tipo de informaci\u00f3n potencialmente confidencial."
}
],
"id": "CVE-2017-16865",
"lastModified": "2024-11-21T03:17:07.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-17T14:29:00.217",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66642"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66642"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-12 14:29
Modified
2024-11-21 03:13
Severity ?
Summary
The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-66495 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-66495 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "33C8BF5E-57A4-4D29-88A3-463565E934E5",
"versionEndExcluding": "7.2.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6AEDF84-4EF1-4275-AD6D-6A8F4A1E031C",
"versionEndExcluding": "7.6.1",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter."
},
{
"lang": "es",
"value": "El recurso printable searchrequest issue en Atlassian Jira antes de la versi\u00f3n 7.2.12 y desde la versi\u00f3n 7.3.0 hasta la 7.6.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el par\u00e1metro query de jqlQuery."
}
],
"id": "CVE-2017-14594",
"lastModified": "2024-11-21T03:13:10.200",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-12T14:29:00.353",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66495"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-66495"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-23 13:29
Modified
2024-11-21 03:47
Severity ?
Summary
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/105751 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-68138 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105751 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-68138 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "25E9DDE1-F33F-4F65-A521-807D4F09C0AE",
"versionEndExcluding": "7.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
"versionEndExcluding": "7.7.5",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
"versionEndExcluding": "7.8.5",
"versionStartIncluding": "7.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
"versionEndExcluding": "7.9.3",
"versionStartIncluding": "7.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C568973F-5079-49ED-928D-7F11C842CF4B",
"versionEndExcluding": "7.10.3",
"versionStartIncluding": "7.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "551A5667-1184-4E3D-9AA7-90C8D18590C3",
"versionEndExcluding": "7.11.3",
"versionStartIncluding": "7.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "078CC169-BA97-4F89-A9AE-05E21FC867CA",
"versionEndExcluding": "7.12.3",
"versionStartIncluding": "7.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0A81285-A452-4AFE-94BE-3B27014535A3",
"versionEndExcluding": "7.13.1",
"versionStartIncluding": "7.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator\u0027s session to access certain administrative resources without needing to re-authenticate to pass \"WebSudo\" through an improper access control vulnerability."
},
{
"lang": "es",
"value": "Varios recursos administrativos en Atlassian Jira en versiones anteriores a la 7.6.9, desde la versi\u00f3n 7.7.0 anterior a la 7.7.5, desde la versi\u00f3n 7.8.0 anterior a la 7.8.5, desde la versi\u00f3n 7.9.0 anterior a la 7.9.3, desde la versi\u00f3n 7.10.0 anterior a la 7.10.3, desde la versi\u00f3n 7.11.0 anterior a la 7.11.3, desde la versi\u00f3n 7.12.0 anterior a la 7.12.3 y antes de la versi\u00f3n 7.13.1 permiten que atacantes remotos con acceso a la sesi\u00f3n de administrador accedan a ciertos recursos administrativos sin necesitar reautenticarse para pasar \"WebSudo\" a trav\u00e9s de una vulnerabilidad de control de acceso incorrecto."
}
],
"id": "CVE-2018-13400",
"lastModified": "2024-11-21T03:47:01.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-23T13:29:02.947",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68138"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-18 04:15
Modified
2024-11-21 04:27
Severity ?
Summary
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70405 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70405 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F460A680-2B63-426A-8A84-4C82FBF1F9CC",
"versionEndExcluding": "7.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B693DA20-3CDC-4089-82E3-F169BDFC3B04",
"versionEndExcluding": "8.4.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "092C476C-0D3A-41A1-90E3-295730FD74EB",
"versionEndExcluding": "8.5.2",
"versionStartIncluding": "8.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check."
},
{
"lang": "es",
"value": "El m\u00e9todo removeStatus de la clase WorkflowResource en Jira versiones anteriores a la versi\u00f3n 7.13.12, desde la versi\u00f3n 8.0.0 anteriores a la versi\u00f3n 8.4.3 y desde la versi\u00f3n 8.5.0 anteriores a la versi\u00f3n 8.5.2, permite a atacantes remotos autenticados que no tienen acceso de administraci\u00f3n del proyecto eliminar un estado del problema configurado desde el proyecto por medio de una falta de comprobaci\u00f3n de autorizaci\u00f3n."
}
],
"id": "CVE-2019-15013",
"lastModified": "2024-11-21T04:27:52.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-18T04:15:14.197",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70405"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70405"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-29 07:15
Modified
2024-11-21 04:38
Severity ?
Summary
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70885 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70885 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A5B1084-0838-4618-A0E0-C34E5A4DD438",
"versionEndExcluding": "7.13.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C66A32E0-AF2A-457D-8634-BC141F93EF97",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B04AEDB9-DA55-4EB4-A30E-1487A1E352EA",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD3FC6D0-18E4-4BF7-8DE2-3D03730A7AAF",
"versionEndExcluding": "7.13.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos inyectar HTML o JavaScript arbitrarios por medio de una vulnerabilidad de tipo cross site scripting (XSS) en Issue Navigator Basic Search. Las versiones afectadas son anteriores a la versi\u00f3n 7.13.9 y desde la versi\u00f3n 8.0.0 anteriores a 8.4.2"
}
],
"id": "CVE-2019-20414",
"lastModified": "2024-11-21T04:38:25.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-29T07:15:09.880",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70885"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-15 22:15
Modified
2024-11-21 05:02
Severity ?
Summary
Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71696 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71696 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_server | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA88355F-8FEF-4CA9-BB17-3DA351B9816D",
"versionEndExcluding": "7.13.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7CCE165B-F599-49FF-A062-5EAA8389BD6A",
"versionEndExcluding": "8.5.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CAD23E06-C441-4D52-B235-C9F6D6C2D498",
"versionEndExcluding": "8.12.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Jira Server permiten a atacantes remotos no autenticados enumerar las claves de emisi\u00f3n por medio de una falta de comprobaci\u00f3n de permisos en el recurso ActionsAndOperations. Las versiones afectadas son anteriores a 7.13.18, desde la versi\u00f3n 8.0.0 anteriores a 8.5.9 y desde la versi\u00f3n 8.6.0 anteriores a la versi\u00f3n 8.12.2"
}
],
"id": "CVE-2020-14185",
"lastModified": "2024-11-21T05:02:49.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-15T22:15:11.570",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71696"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-12 14:15
Modified
2024-11-21 04:38
Severity ?
Summary
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://ecosystem.atlassian.net/browse/APL-1390 | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-70607 | Issue Tracking, Vendor Advisory | |
| security@atlassian.com | https://www.tenable.com/security/research/tra-2020-06 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ecosystem.atlassian.net/browse/APL-1390 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-70607 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.tenable.com/security/research/tra-2020-06 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_data_center | * | |
| atlassian | jira_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F875304-9569-456B-A310-FA755B94A2C2",
"versionEndExcluding": "8.4.5",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59441EB1-B962-40C5-8517-47E16BE50329",
"versionEndExcluding": "8.5.4",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E98BEBD-D918-40AA-8749-CB566CDF6A7A",
"versionEndExcluding": "8.6.2",
"versionStartIncluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "84D83D55-0EB1-4813-B769-33B70C92A452",
"versionEndExcluding": "8.6.2",
"versionStartIncluding": "8.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present."
},
{
"lang": "es",
"value": "El plugin Atlassian Application Links es vulnerable a un ataque de tipo cross-site request forgery (CSRF). Las siguientes versiones est\u00e1n afectadas: todas las versiones anteriores a 5.4.21, desde versi\u00f3n 6.0.0 anterior a versi\u00f3n 6.0.12, desde versi\u00f3n 6.1.0 anterior a versi\u00f3n 6.1.2, desde versi\u00f3n 7.0.0 anterior a versi\u00f3n 7.0.2 y desde versi\u00f3n 7.1.0 anterior a versi\u00f3n 7.1.3. El plugin vulnerable es usado por Atlassian Jira Server and Data Center anterior a versi\u00f3n 8.7.0. Un atacante podr\u00eda explotar esto al enga\u00f1ar a un usuario administrativo para que realice peticiones HTTP maliciosas, permitiendo que el atacante enumere hosts y abra puertos en la red interna donde el servidor Jira est\u00e1 presente."
}
],
"id": "CVE-2019-20100",
"lastModified": "2024-11-21T04:38:03.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-12T14:15:11.263",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
},
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2020-06"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-01 02:15
Modified
2024-11-21 05:02
Severity ?
Summary
The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-71185 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/JRASERVER-71185 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | jira | * | |
| atlassian | jira_software_data_center | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5034C3A6-284A-4FA6-B527-540F4A2CE26A",
"versionEndExcluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E8FA5FE-78B2-4900-80A5-0851C13FCC2A",
"versionEndExcluding": "8.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
},
{
"lang": "es",
"value": "El recurso UniversalAvatarResource.getAvatars en Jira Server and Data Center versiones anteriores a 8.9.0, permite a atacantes remotos obtener informaci\u00f3n sobre nombres de avatars de proyectos personalizados por medio de una vulnerabilidad de autorizaci\u00f3n inapropiada"
}
],
"id": "CVE-2020-14165",
"lastModified": "2024-11-21T05:02:47.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T02:15:11.757",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71185"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-71185"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}