Vulnerabilities > Atlassian

DATE CVE VULNERABILITY TITLE RISK
2019-09-19 CVE-2019-15000 OS Command Injection vulnerability in Atlassian Bitbucket
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) allows remote attackers who have permission to access a repository, if public access is enabled for a project or repository then attackers are able to exploit this issue anonymously, to read the contents of arbitrary files on the system and execute commands via injecting additional arguments into git commands.
network
atlassian CWE-78
6.8
2019-09-19 CVE-2019-14994 Path Traversal vulnerability in Atlassian Jira Service Desk
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability.
network
atlassian CWE-22
4.3
2019-09-11 CVE-2019-8451 Server-Side Request Forgery (SSRF) vulnerability in Atlassian Jira Server
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
network
low complexity
atlassian CWE-918
6.4
2019-09-11 CVE-2019-8450 Cross-site Scripting vulnerability in Atlassian Jira Server
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.
network
atlassian CWE-79
3.5
2019-09-11 CVE-2019-8449 Missing Authentication for Critical Function vulnerability in Atlassian Jira
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
network
low complexity
atlassian CWE-306
5.0
2019-09-11 CVE-2019-14998 Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira Server
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
network
atlassian CWE-352
4.3
2019-09-11 CVE-2019-14997 Unspecified vulnerability in Atlassian Jira Server
The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN.
network
atlassian
4.3
2019-09-11 CVE-2019-14996 Cross-site Scripting vulnerability in Atlassian Jira Server
The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
network
atlassian CWE-79
4.3
2019-09-11 CVE-2019-14995 Missing Authorization vulnerability in Atlassian Jira Server
The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.
network
low complexity
atlassian CWE-862
5.0
2019-08-29 CVE-2019-3394 Path Traversal vulnerability in Atlassian Confluence and Confluence Server
There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting.
network
low complexity
atlassian CWE-22
4.0