VYPR

Vendor CVEs

Atlassian

All CVEs

471 total · sorted by risk
  • CVE-2012-2926CriMay 22, 2012
    risk 0.67cvss 9.1epss 0.67

    Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3…

  • CVE-2018-5225CriMar 22, 2018
    risk 0.65cvss 9.9epss 0.04

    In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x),…

  • CVE-2017-5983CriApr 10, 2017
    risk 0.65cvss 9.8epss 0.16

    The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

  • CVE-2018-16281CriSep 21, 2018
    risk 0.64cvss 9.8epss 0.01

    The DEISER "Profields - Project Custom Fields" app before 6.0.2 for Jira has Incorrect Access Control.

  • CVE-2018-13385CriJul 24, 2018
    risk 0.64cvss 9.8epss 0.02

    There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.…

  • CVE-2017-16861CriFeb 1, 2018
    risk 0.64cvss 9.8epss 0.02

    It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or…

  • CVE-2017-14586CriNov 27, 2017
    risk 0.64cvss 9.8epss 0.04

    The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing. Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability.

  • CVE-2017-8768CriMay 4, 2017
    risk 0.64cvss 9.8epss 0.08

    Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command.…

  • CVE-2016-6496CriDec 9, 2016
    risk 0.64cvss 9.8epss 0.05

    The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.

  • CVE-2016-5229CriAug 2, 2016
    risk 0.64cvss 9.8epss 0.07

    Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.

  • CVE-2015-8360CriFeb 8, 2016
    risk 0.64cvss 9.8epss 0.03

    An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.

  • CVE-2014-9757CriFeb 8, 2016
    risk 0.64cvss 9.8epss 0.02

    The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.

  • CVE-2017-14589CriDec 13, 2017
    risk 0.63cvss 9.6epss 0.02

    It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute…

  • CVE-2026-21571CriApr 21, 2026
    risk 0.61cvss epss 0.01

    This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.   This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of …

  • CVE-2017-14590CriDec 13, 2017
    risk 0.59cvss 9.1epss 0.02

    Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least…

  • CVE-2017-14591CriNov 29, 2017
    risk 0.59cvss 9.0epss 0.02

    Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.

  • CVE-2017-7357CriApr 14, 2017
    risk 0.59cvss 9.1epss 0.03

    Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file.

  • CVE-2015-8361CriFeb 8, 2016
    risk 0.59cvss 9.1epss 0.03

    Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.

  • CVE-2017-14593HigJan 26, 2018
    risk 0.58cvss 8.8epss 0.06

    Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From…

  • CVE-2017-14592HigJan 26, 2018
    risk 0.58cvss 8.8epss 0.06

    Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. From version…

  • CVE-2018-5226HigApr 25, 2018
    risk 0.57cvss 8.8epss 0.01

    There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain…

  • CVE-2018-5224HigMar 29, 2018
    risk 0.57cvss 8.8epss 0.03

    Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked…

  • CVE-2017-18080HigFeb 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2017-18042HigFeb 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2017-9514HigOct 12, 2017
    risk 0.57cvss 8.8epss 0.01

    Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code…

  • CVE-2015-6576HigOct 3, 2017
    risk 0.57cvss 8.8epss 0.04

    Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.

  • CVE-2017-8907HigJun 14, 2017
    risk 0.57cvss 8.8epss 0.02

    Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects…

  • CVE-2017-8080HigMay 5, 2017
    risk 0.57cvss 8.8epss 0.03

    Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads.

  • CVE-2016-4319HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.01

    Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.

  • CVE-2017-16857HigDec 5, 2017
    risk 0.55cvss 8.5epss 0.01

    It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin,…

  • CVE-2018-13386HigJul 24, 2018
    risk 0.53cvss 8.1epss 0.02

    There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.…

  • CVE-2018-1000617HigJul 9, 2018
    risk 0.49cvss 7.5epss 0.02

    Atlassian Floodlight Atlassian Floodlight Controller version 1.2 and earlier versions contains a Denial of Service vulnerability in Forwarding module that can result in Improper type cast in Forwarding module allows remote attackers to cause a DoS(thread crash).. This attack…

  • CVE-2018-5231HigMay 16, 2018
    risk 0.49cvss 7.5epss 0.03

    The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests…

  • CVE-2017-18087HigFeb 15, 2018
    risk 0.49cvss 7.5epss 0.02

    The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk…

  • CVE-2017-9511HigAug 24, 2017
    risk 0.49cvss 7.5epss 0.03

    The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system.

  • CVE-2017-9512HigAug 24, 2017
    risk 0.49cvss 7.5epss 0.02

    The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.

  • CVE-2017-7415HigApr 27, 2017
    risk 0.49cvss 7.5epss 0.04

    Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource.

  • CVE-2016-6668HigJan 23, 2017
    risk 0.49cvss 7.5epss 0.04

    The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for…

  • CVE-2017-18096HigApr 4, 2018
    risk 0.47cvss 7.2epss 0.01

    The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF)…

  • CVE-2018-5223HigMar 29, 2018
    risk 0.47cvss 7.2epss 0.02

    Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice…

  • CVE-2017-14585HigNov 27, 2017
    risk 0.47cvss 7.2epss 0.04

    A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and…

  • CVE-2017-9506MedAug 23, 2017
    risk 0.45cvss 6.1epss 0.72

    The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

  • CVE-2017-16858MedJan 31, 2018
    risk 0.44cvss 6.8epss 0.01

    The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using…

  • CVE-2018-5230MedMay 14, 2018
    risk 0.43cvss 6.1epss 0.38

    The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting…

  • CVE-2016-6283MedJan 18, 2017
    risk 0.43cvss 6.1epss 0.04

    Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action.

  • CVE-2015-8398MedApr 11, 2016
    risk 0.43cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.

  • CVE-2018-13398MedSep 18, 2018
    risk 0.42cvss 6.5epss 0.01

    The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2018-13394MedAug 15, 2018
    risk 0.42cvss 6.5epss 0.01

    The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery…

  • CVE-2018-13393MedAug 15, 2018
    risk 0.42cvss 6.5epss 0.01

    The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request…

  • CVE-2017-16859MedJun 28, 2018
    risk 0.42cvss 6.5epss 0.03

    The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability…

Page 1 of 10