Atlassian
Atlassian Corporation is an international proprietary software company that specialises in collaboration tools designed primarily for software development and project management. Founded in Sydney in 2002 and domiciled in the United States since 2022 as a pure holding company of Atlassian Corporation Plc, the company is globally headquartered in Sydney, Australia, with a US headquarters in San Francisco, and over 12,000 employees across 14 countries. Atlassian currently serves over 300,000 customers in over 200 countries and territories around the world.
Products
73- 117 CVEs
- 94 CVEs
- 92 CVEs
- 77 CVEs
- 61 CVEs
- 51 CVEs
- 51 CVEs
- 39 CVEs
- 23 CVEs
- 22 CVEs
- 21 CVEs
- 21 CVEs
- 17 CVEs
- 13 CVEs
- 13 CVEs
- 11 CVEs
- 9 CVEs
- 8 CVEs
- 8 CVEs
- 7 CVEs
- 6 CVEs
- 5 CVEs
- 4 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- View all 73 products →
Recent CVEs
471| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-2926 | Cri | 0.67 | 9.1 | 0.67 | May 22, 2012 | Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3… | ||
| CVE-2018-5225 | Cri | 0.65 | 9.9 | 0.04 | Mar 22, 2018 | In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x),… | ||
| CVE-2017-5983 | Cri | 0.65 | 9.8 | 0.16 | Apr 10, 2017 | The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. | ||
| CVE-2018-16281 | Cri | 0.64 | 9.8 | 0.01 | Sep 21, 2018 | The DEISER "Profields - Project Custom Fields" app before 6.0.2 for Jira has Incorrect Access Control. | ||
| CVE-2018-13385 | Cri | 0.64 | 9.8 | 0.02 | Jul 24, 2018 | There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.… | ||
| CVE-2017-16861 | Cri | 0.64 | 9.8 | 0.02 | Feb 1, 2018 | It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or… | ||
| CVE-2017-14586 | Cri | 0.64 | 9.8 | 0.04 | Nov 27, 2017 | The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing. Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability. | ||
| CVE-2017-8768 | Cri | 0.64 | 9.8 | 0.08 | May 4, 2017 | Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command.… | ||
| CVE-2016-6496 | Cri | 0.64 | 9.8 | 0.05 | Dec 9, 2016 | The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning. | ||
| CVE-2016-5229 | Cri | 0.64 | 9.8 | 0.07 | Aug 2, 2016 | Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization. | ||
| CVE-2015-8360 | Cri | 0.64 | 9.8 | 0.03 | Feb 8, 2016 | An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port. | ||
| CVE-2014-9757 | Cri | 0.64 | 9.8 | 0.02 | Feb 8, 2016 | The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message. | ||
| CVE-2017-14589 | Cri | 0.63 | 9.6 | 0.02 | Dec 13, 2017 | It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute… | ||
| CVE-2026-21571 | Cri | 0.61 | — | 0.01 | Apr 21, 2026 | This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of … | ||
| CVE-2017-14590 | Cri | 0.59 | 9.1 | 0.02 | Dec 13, 2017 | Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least… | ||
| CVE-2017-14591 | Cri | 0.59 | 9.0 | 0.02 | Nov 29, 2017 | Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software. | ||
| CVE-2017-7357 | Cri | 0.59 | 9.1 | 0.03 | Apr 14, 2017 | Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file. | ||
| CVE-2015-8361 | Cri | 0.59 | 9.1 | 0.03 | Feb 8, 2016 | Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port. | ||
| CVE-2017-14593 | Hig | 0.58 | 8.8 | 0.06 | Jan 26, 2018 | Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From… | ||
| CVE-2017-14592 | Hig | 0.58 | 8.8 | 0.06 | Jan 26, 2018 | Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. From version… |
- risk 0.67cvss 9.1epss 0.67
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3…
- risk 0.65cvss 9.9epss 0.04
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x),…
- risk 0.65cvss 9.8epss 0.16
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
- risk 0.64cvss 9.8epss 0.01
The DEISER "Profields - Project Custom Fields" app before 6.0.2 for Jira has Incorrect Access Control.
- risk 0.64cvss 9.8epss 0.02
There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.…
- risk 0.64cvss 9.8epss 0.02
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or…
- risk 0.64cvss 9.8epss 0.04
The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing. Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability.
- risk 0.64cvss 9.8epss 0.08
Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command.…
- risk 0.64cvss 9.8epss 0.05
The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.
- risk 0.64cvss 9.8epss 0.07
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
- risk 0.64cvss 9.8epss 0.03
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
- risk 0.64cvss 9.8epss 0.02
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
- risk 0.63cvss 9.6epss 0.02
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute…
- risk 0.61cvss —epss 0.01
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of …
- risk 0.59cvss 9.1epss 0.02
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least…
- risk 0.59cvss 9.0epss 0.02
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
- risk 0.59cvss 9.1epss 0.03
Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file.
- risk 0.59cvss 9.1epss 0.03
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
- risk 0.58cvss 8.8epss 0.06
Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From…
- risk 0.58cvss 8.8epss 0.06
Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. From version…