Atlassian Jira vulnerabilities

CVE-2019-20106 [MEDIUM] CWE-276 CVE-2019-20106: Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 befor Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

CVE-2019-15013 [MEDIUM] CWE-862 CVE-2019-15013: The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 be The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.

CVE-2019-15005 [MEDIUM] CWE-862 CVE-2019-15005: The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivilege The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulne

CVE-2019-8450 [MEDIUM] CWE-79 CVE-2019-8450: Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 b Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.

CVE-2019-8451 [MEDIUM] CWE-918 CVE-2019-8451: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attacke The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

CVE-2019-8449 [MEDIUM] CWE-306 CVE-2019-8449: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers t The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

CVE-2019-14995 [MEDIUM] CWE-863 CVE-2019-14995: The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.

CVE-2019-14997 [MEDIUM] CWE-524 CVE-2019-14997: The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn de The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN.

CVE-2019-14998 [MEDIUM] CWE-352 CVE-2019-14998: The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before versio The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.

CVE-2019-14996 [MEDIUM] CWE-79 CVE-2019-14996: The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before ver The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.

CVE-2019-8444 [MEDIUM] CWE-79 CVE-2019-8444: The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3. The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.

CVE-2019-8445 [MEDIUM] CWE-863 CVE-2019-8445: Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.

CVE-2019-8447 [MEDIUM] CWE-352 CVE-2019-8447: The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the cre The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-11585 [MEDIUM] CWE-601 CVE-2019-11585: The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

CVE-2019-11586 [MEDIUM] CWE-352 CVE-2019-11586: The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2 The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-11587 [MEDIUM] CWE-352 CVE-2019-11587: Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).

CVE-2019-8446 [MEDIUM] CWE-863 CVE-2019-8446: The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enu The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVE-2019-11588 [MEDIUM] CWE-352 CVE-2019-11588: The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0. The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-11584 [MEDIUM] CWE-79 CVE-2019-11584: The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject ar The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.

CVE-2019-11589 [MEDIUM] CWE-601 CVE-2019-11589: The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before versio The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.