CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Atlassian » Jira » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43953 352 CSRF 2022-02-15 2022-04-25
4.3
None Remote Medium Not required None None Partial
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
2 CVE-2021-43947 Exec Code Bypass 2022-01-06 2022-03-30
9.0
None Remote Low ??? Complete Complete Complete
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
3 CVE-2021-43945 79 XSS 2022-02-28 2022-03-08
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
4 CVE-2021-41312 287 2021-11-03 2021-11-04
5.0
None Remote Low Not required None Partial None
Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
5 CVE-2021-41308 287 2021-10-26 2022-03-30
4.0
None Remote Low ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
6 CVE-2021-41307 639 2021-10-26 2022-03-25
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
7 CVE-2021-41306 639 2021-10-26 2022-05-03
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
8 CVE-2021-41305 639 2021-10-26 2022-05-03
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..
9 CVE-2021-41304 79 XSS 2021-10-26 2022-03-30
4.3
None Remote Medium Not required None Partial None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.
10 CVE-2021-39128 74 Exec Code 2021-09-16 2022-05-12
6.5
None Remote Low ??? Partial Partial Partial
Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1.
11 CVE-2021-39127 668 2021-10-21 2022-03-30
5.0
None Remote Low Not required None Partial None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
12 CVE-2021-39125 200 +Info 2021-09-14 2022-03-25
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
13 CVE-2021-39124 352 Bypass CSRF 2021-09-14 2022-02-24
4.3
None Remote Medium Not required None Partial None
The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.
14 CVE-2021-39123 400 DoS 2021-09-14 2021-09-24
5.0
None Remote Low Not required None None Partial
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0.
15 CVE-2021-39122 2021-09-08 2022-03-30
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
16 CVE-2021-39121 2021-09-08 2022-03-30
4.0
None Remote Low ??? Partial None None
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2.
17 CVE-2021-39119 287 2021-09-01 2021-09-10
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0.
18 CVE-2021-39118 200 +Info 2021-09-14 2021-09-24
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0.
19 CVE-2021-39117 79 XSS 2021-08-30 2021-09-02
3.5
None Remote Medium ??? None Partial None
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
20 CVE-2021-39113 613 2021-08-30 2022-03-30
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
21 CVE-2021-39112 601 2021-08-25 2022-03-30
4.9
None Remote Medium ??? Partial Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
22 CVE-2021-39111 79 XSS 2021-08-30 2022-03-30
4.3
None Remote Medium Not required None Partial None
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
23 CVE-2021-26083 79 XSS 2021-07-20 2022-03-30
3.5
None Remote Medium ??? None Partial None
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
24 CVE-2021-26082 79 XSS 2021-07-20 2022-03-30
3.5
None Remote Medium ??? None Partial None
The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.
25 CVE-2021-26081 2021-07-20 2022-03-30
5.0
None Remote Low Not required Partial None None
REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.
26 CVE-2021-26079 79 XSS 2021-06-07 2022-03-30
4.3
None Remote Medium Not required None Partial None
The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
27 CVE-2021-26078 79 XSS 2021-06-07 2022-04-22
4.3
None Remote Medium Not required None Partial None
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
28 CVE-2021-26076 2021-04-15 2022-03-30
4.3
None Remote Medium Not required Partial None None
The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
29 CVE-2021-26075 +Info 2021-04-15 2022-03-30
4.0
None Remote Low ??? Partial None None
The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.
30 CVE-2021-26071 352 CSRF 2021-04-01 2022-03-30
3.5
None Remote Medium ??? None Partial None
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
31 CVE-2021-26070 287 2021-03-22 2022-03-25
6.4
None Remote Low Not required Partial Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
32 CVE-2021-26069 74 2021-03-22 2022-03-30
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
33 CVE-2020-36289 200 +Info 2021-05-12 2022-03-30
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
34 CVE-2020-36288 79 XSS 2021-04-15 2022-03-30
4.3
None Remote Medium Not required None Partial None
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.
35 CVE-2020-36287 863 2021-04-09 2022-03-30
5.0
None Remote Low Not required Partial None None
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
36 CVE-2020-36286 2021-04-01 2022-03-30
5.0
None Remote Low Not required Partial None None
The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.
37 CVE-2020-36238 863 2021-04-01 2022-03-30
5.0
None Remote Low Not required Partial None None
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
38 CVE-2020-36237 200 +Info 2021-02-15 2021-07-21
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.
39 CVE-2020-36236 79 XSS 2021-02-15 2022-03-30
4.3
None Remote Medium Not required None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
40 CVE-2020-36235 2021-02-15 2022-03-25
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.
41 CVE-2020-36234 79 XSS 2021-02-15 2022-03-30
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
42 CVE-2020-36231 639 2021-02-02 2022-03-30
4.0
None Remote Low ??? Partial None None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.
43 CVE-2020-29451 2021-02-15 2022-03-25
4.0
None Remote Low ??? Partial None None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1.
44 CVE-2020-14185 862 2020-10-15 2022-03-25
5.0
None Remote Low Not required Partial None None
Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2.
45 CVE-2020-14184 79 XSS 2020-10-12 2022-03-25
3.5
None Remote Medium ??? None Partial None
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.
46 CVE-2020-14181 200 +Info 2020-09-17 2022-03-25
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
47 CVE-2020-14178 2020-09-01 2022-03-30
5.0
None Remote Low Not required Partial None None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.
48 CVE-2020-14174 639 2020-07-13 2022-03-30
4.0
None Remote Low ??? Partial None None
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.
49 CVE-2020-14173 79 XSS 2020-07-03 2022-03-30
3.5
None Remote Medium ??? None Partial None
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
50 CVE-2020-14172 502 Exec Code 2020-07-03 2022-05-03
7.5
None Remote Low Not required Partial Partial Partial
This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.
Total number of vulnerabilities : 131   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.