| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2023-22503 |
|
|
|
2023-05-01 |
2023-05-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature.
This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.
The affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0. |
|
2 |
CVE-2023-22501 |
287 |
|
|
2023-02-01 |
2023-02-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account. |
|
3 |
CVE-2022-43782 |
287 |
|
|
2022-11-17 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3 |
|
4 |
CVE-2022-43781 |
77 |
|
Exec Code |
2022-11-17 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”. |
|
5 |
CVE-2022-42978 |
863 |
|
|
2022-11-15 |
2022-11-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. |
|
6 |
CVE-2022-42977 |
200 |
|
+Info |
2022-11-15 |
2022-11-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded. |
|
7 |
CVE-2022-36804 |
77 |
|
Exec Code |
2022-08-25 |
2023-03-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew. |
|
8 |
CVE-2022-36803 |
276 |
|
|
2022-10-14 |
2022-10-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. |
|
9 |
CVE-2022-36802 |
918 |
|
|
2022-10-14 |
2022-10-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request. |
|
10 |
CVE-2022-36801 |
79 |
|
XSS |
2022-08-10 |
2022-08-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8. |
|
11 |
CVE-2022-36800 |
863 |
|
|
2022-08-03 |
2022-08-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. The affected versions are before version 4.22.2. |
|
12 |
CVE-2022-36799 |
94 |
|
Exec Code |
2022-08-01 |
2022-08-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1. |
|
13 |
CVE-2022-26137 |
346 |
|
Bypass |
2022-07-20 |
2022-08-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4. |
|
14 |
CVE-2022-26136 |
287 |
|
XSS Bypass |
2022-07-20 |
2022-08-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4. |
|
15 |
CVE-2022-26135 |
918 |
|
|
2022-06-30 |
2022-08-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4. |
|
16 |
CVE-2022-26134 |
74 |
|
Exec Code |
2022-06-03 |
2022-06-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. |
|
17 |
CVE-2022-26133 |
502 |
|
Exec Code |
2022-04-20 |
2022-04-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization. |
|
18 |
CVE-2022-0540 |
287 |
|
Bypass |
2022-04-20 |
2022-06-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. |
|
19 |
CVE-2021-43959 |
918 |
|
|
2022-07-26 |
2022-08-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability in the CSV importing feature of JSM Insight. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. The affected versions are before version 4.13.20, from version 4.14.0 before 4.20.8, and from version 4.21.0 before 4.22.2. |
|
20 |
CVE-2021-43958 |
307 |
|
|
2022-03-16 |
2022-03-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. |
|
21 |
CVE-2021-43957 |
639 |
|
Bypass |
2022-03-16 |
2022-03-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. |
|
22 |
CVE-2021-43956 |
1321 |
|
|
2022-03-16 |
2022-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. |
|
23 |
CVE-2021-43955 |
668 |
|
+Info |
2022-03-16 |
2022-03-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. |
|
24 |
CVE-2021-43954 |
918 |
|
|
2022-03-14 |
2022-03-18 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. |
|
25 |
CVE-2021-43953 |
352 |
|
CSRF |
2022-02-15 |
2022-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. |
|
26 |
CVE-2021-43952 |
352 |
|
CSRF |
2022-02-15 |
2022-06-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0. |
|
27 |
CVE-2021-43951 |
200 |
|
+Info |
2022-01-10 |
2022-03-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view object import configuration details via an Information Disclosure vulnerability in the Create Object type mapping feature. The affected versions are before version 4.21.0. |
|
28 |
CVE-2021-43950 |
|
|
|
2022-02-15 |
2022-07-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature. The affected versions are before version 4.21.0. |
|
29 |
CVE-2021-43949 |
200 |
|
+Info |
2022-01-10 |
2022-03-04 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are before version 4.21.0. |
|
30 |
CVE-2021-43948 |
|
|
|
2022-02-15 |
2022-07-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature. The affected versions are before version 4.21.0. |
|
31 |
CVE-2021-43947 |
|
|
Exec Code Bypass |
2022-01-06 |
2022-03-30 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. |
|
32 |
CVE-2021-43946 |
|
|
|
2022-01-05 |
2023-02-24 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9. |
|
33 |
CVE-2021-43945 |
79 |
|
XSS |
2022-02-28 |
2022-03-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3. |
|
34 |
CVE-2021-43944 |
94 |
|
Exec Code |
2022-03-08 |
2022-06-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. |
|
35 |
CVE-2021-43943 |
79 |
|
XSS |
2022-02-24 |
2022-03-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The affected versions are before version 4.21.0. |
|
36 |
CVE-2021-43942 |
79 |
|
XSS |
2022-01-04 |
2022-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. |
|
37 |
CVE-2021-43941 |
352 |
|
CSRF |
2022-02-15 |
2022-06-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. |
|
38 |
CVE-2021-41313 |
|
|
|
2021-11-01 |
2022-11-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7. |
|
39 |
CVE-2021-41312 |
287 |
|
|
2021-11-03 |
2021-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1. |
|
40 |
CVE-2021-41311 |
287 |
|
|
2021-12-08 |
2021-12-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1. |
|
41 |
CVE-2021-41310 |
79 |
|
XSS |
2021-11-01 |
2021-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1. |
|
42 |
CVE-2021-41309 |
287 |
|
|
2021-12-08 |
2021-12-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1. |
|
43 |
CVE-2021-41308 |
|
|
|
2021-10-26 |
2022-08-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1. |
|
44 |
CVE-2021-41307 |
639 |
|
|
2021-10-26 |
2022-03-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0. |
|
45 |
CVE-2021-41306 |
639 |
|
|
2021-10-26 |
2022-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0. |
|
46 |
CVE-2021-41305 |
639 |
|
|
2021-10-26 |
2022-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.. |
|
47 |
CVE-2021-41304 |
79 |
|
XSS |
2021-10-26 |
2022-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2. |
|
48 |
CVE-2021-39128 |
94 |
|
Exec Code |
2021-09-16 |
2022-08-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1. |
|
49 |
CVE-2021-39127 |
|
|
|
2021-10-21 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. |
|
50 |
CVE-2021-39126 |
352 |
|
CSRF |
2021-10-21 |
2022-04-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. |
