Filtered by vendor Atlassian
Subscribe
Total
432 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26134 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. | |||||
| CVE-2021-43954 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2021-39114 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. | |||||
| CVE-2021-43944 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | |||||
| CVE-2021-43957 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. | |||||
| CVE-2022-26135 | 1 Atlassian | 4 Jira Data Center, Jira Server, Jira Service Desk and 1 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4. | |||||
| CVE-2021-43941 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | |||||
| CVE-2021-43955 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. | |||||
| CVE-2021-43958 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | |||||
| CVE-2021-43950 | 1 Atlassian | 1 Jira Service Management | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature. The affected versions are before version 4.21.0. | |||||
| CVE-2021-43953 | 1 Atlassian | 2 Data Center, Jira | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | |||||
| CVE-2021-43943 | 1 Atlassian | 1 Jira Service Management | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The affected versions are before version 4.21.0. | |||||
| CVE-2022-0540 | 1 Atlassian | 3 Jira Data Center, Jira Server, Jira Service Management | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. | |||||
| CVE-2021-43940 | 2 Atlassian, Microsoft | 3 Confluence Data Center, Confluence Server, Windows | 2023-12-10 | 6.9 MEDIUM | 7.8 HIGH |
| Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence Server and Data Center on Windows. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | |||||
| CVE-2021-43945 | 1 Atlassian | 2 Data Center, Jira | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3. | |||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | |||||
| CVE-2021-41310 | 1 Atlassian | 1 Jira Software Data Center | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1. | |||||
| CVE-2021-39128 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1. | |||||
| CVE-2021-39124 | 1 Atlassian | 2 Data Center, Jira | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. | |||||
| CVE-2021-41304 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2. | |||||