Atlassian Jira Software Data Center vulnerabilities

45 known vulnerabilities affecting atlassian/jira_software_data_center.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL5HIGH10MEDIUM30

Vulnerabilities

Page 2 of 3

CVE-2019-20897MEDIUMCVSS 6.5fixed in 8.5.42020-07-13

CVE-2019-20897 [MEDIUM] CWE-434 CVE-2019-20897: The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remot The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

nvd

CVE-2020-14174MEDIUMCVSS 4.3fixed in 7.13.162020-07-13

CVE-2020-14174 [MEDIUM] CWE-639 CVE-2020-14174: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version

nvd

CVE-2020-14172CRITICALCVSS 9.8fixed in 7.13.0≥ 8.0.0, < 8.5.0+1 more2020-07-03

CVE-2020-14172 [CRITICAL] CWE-502 CVE-2020-14172: This issue exists to document that a security improvement in the way that Jira Server and Data Cente This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if the

nvd

CVE-2019-20418MEDIUMCVSS 6.5fixed in 8.8.02020-07-03

CVE-2019-20418 [MEDIUM] CVE-2019-20418: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users f Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.

nvd

CVE-2020-14173MEDIUMCVSS 5.4fixed in 8.5.42020-07-03

CVE-2020-14173 [MEDIUM] CWE-79 CVE-2020-14173: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

nvd

CVE-2020-14167HIGHCVSS 7.5fixed in 7.13.142020-07-01

CVE-2020-14167 [HIGH] CVE-2020-14167: The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.

nvd

CVE-2020-4025MEDIUMCVSS 4.8fixed in 8.5.52020-07-01

CVE-2020-4025 [MEDIUM] CWE-79 CVE-2020-4025: The attachment download resource in Atlassian Jira Server and Data Center The attachment download re The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a

nvd

CVE-2020-14164MEDIUMCVSS 6.1fixed in 8.8.22020-07-01

CVE-2020-14164 [MEDIUM] CWE-79 CVE-2020-14164: The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attack The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.

nvd

CVE-2020-4024MEDIUMCVSS 5.4fixed in 8.5.52020-07-01

CVE-2020-4024 [MEDIUM] CWE-79 CVE-2020-4024: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

nvd

CVE-2020-4029MEDIUMCVSS 4.3fixed in 8.5.52020-07-01

CVE-2020-4029 [MEDIUM] CVE-2020-4029: The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center befor The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

nvd

CVE-2020-14168MEDIUMCVSS 5.9fixed in 7.13.142020-07-01

CVE-2020-14168 [MEDIUM] CVE-2020-14168: The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, fro The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.

nvd

CVE-2020-14165MEDIUMCVSS 5.3fixed in 8.9.02020-07-01

CVE-2020-14165 [MEDIUM] CVE-2020-14165: The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.

nvd

CVE-2020-4022MEDIUMCVSS 6.1fixed in 8.5.52020-07-01

CVE-2020-4022 [MEDIUM] CWE-79 CVE-2020-4022: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

nvd

CVE-2020-14169MEDIUMCVSS 6.1fixed in 8.9.12020-07-01

CVE-2020-14169 [MEDIUM] CWE-79 CVE-2020-14169: The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attac The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability

nvd

CVE-2019-20415MEDIUMCVSS 4.3fixed in 7.13.32020-06-30

CVE-2019-20415 [MEDIUM] CWE-352 CVE-2019-20415: Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.

nvd

CVE-2019-20416MEDIUMCVSS 4.8fixed in 8.3.02020-06-30

CVE-2019-20416 [MEDIUM] CWE-79 CVE-2019-20416: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.

nvd

CVE-2019-20413HIGHCVSS 7.5fixed in 7.13.92020-06-29

CVE-2019-20413 [HIGH] CVE-2019-20413: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the appl Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

nvd

CVE-2019-20414MEDIUMCVSS 5.4fixed in 7.13.92020-06-29

CVE-2019-20414 [MEDIUM] CWE-79 CVE-2019-20414: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

nvd

CVE-2019-20410MEDIUMCVSS 6.5fixed in 7.6.172020-06-29

CVE-2019-20410 [MEDIUM] CVE-2019-20410: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.

nvd

CVE-2019-20412MEDIUMCVSS 5.3fixed in 7.13.92020-06-29

CVE-2019-20412 [MEDIUM] CWE-287 CVE-2019-20412: The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center all The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7

nvd

← Previous2 / 3Next →