Atlassian Jira Server vulnerabilities

CVE-2019-20900 [MEDIUM] CWE-79 CVE-2019-20900: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.

CVE-2019-20901 [MEDIUM] CWE-601 CVE-2019-20901: The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 all The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.

CVE-2019-20897 [MEDIUM] CWE-434 CVE-2019-20897: The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remot The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

CVE-2020-14172 [CRITICAL] CWE-502 CVE-2020-14172: This issue exists to document that a security improvement in the way that Jira Server and Data Cente This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if the

CVE-2019-20419 [HIGH] CWE-427 CVE-2019-20419: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitra Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.

CVE-2019-20418 [MEDIUM] CVE-2019-20418: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users f Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.

CVE-2020-14173 [MEDIUM] CWE-79 CVE-2020-14173: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

CVE-2020-14167 [HIGH] CVE-2020-14167: The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.

CVE-2019-20408 [MEDIUM] CWE-918 CVE-2019-20408: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attacke The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

CVE-2020-4025 [MEDIUM] CWE-79 CVE-2020-4025: The attachment download resource in Atlassian Jira Server and Data Center The attachment download re The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a

CVE-2020-4024 [MEDIUM] CWE-79 CVE-2020-4024: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

CVE-2020-4029 [MEDIUM] CVE-2020-4029: The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center befor The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

CVE-2020-14168 [MEDIUM] CVE-2020-14168: The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, fro The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.

CVE-2020-4022 [MEDIUM] CWE-79 CVE-2020-4022: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

CVE-2019-20415 [MEDIUM] CWE-352 CVE-2019-20415: Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.

CVE-2019-20416 [MEDIUM] CWE-79 CVE-2019-20416: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.

CVE-2019-20413 [HIGH] CVE-2019-20413: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the appl Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20414 [MEDIUM] CWE-79 CVE-2019-20414: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20410 [MEDIUM] CVE-2019-20410: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20411 [MEDIUM] CWE-352 CVE-2019-20411: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.