Atlassian JIRA — программный продукт, разработанный Atlassian, который позволяет отслеживать ошибки, проблемы и гибкое управление проектами.
Релизный цикл, информация об уязвимостях
График релизов
Количество 305
BDU:2020-00077
Уязвимость системы отслеживания ошибок Jira, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код
CVE-2019-11583
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
CVE-2019-8443
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
CVE-2019-8442
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.
CVE-2019-3403
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CVE-2019-3402
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
CVE-2019-3401
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CVE-2018-20824
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
CVE-2019-3399
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
BDU:2023-00492
Уязвимость реализации класса CachingResourceDownloadRewriteRule системы отслеживания ошибок Jira, позволяющая нарушителю получить доступ к файлам в корневом каталоге
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2020-00077 Уязвимость системы отслеживания ошибок Jira, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код | CVSS3: 9.8 | 94% Критический | почти 6 лет назад |
 | CVE-2019-11583 The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name". | CVSS3: 6.5 | 1% Низкий | почти 6 лет назад |
| CVE-2019-8443 The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | CVSS3: 8.1 | 1% Низкий | около 6 лет назад |
| CVE-2019-8442 The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | CVSS3: 7.5 | 93% Критический | около 6 лет назад |
| CVE-2019-3403 The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | CVSS3: 5.3 | 83% Высокий | около 6 лет назад |
| CVE-2019-3402 The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | CVSS3: 6.1 | 33% Средний | около 6 лет назад |
| CVE-2019-3401 The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | CVSS3: 5.3 | 83% Высокий | около 6 лет назад |
| CVE-2018-20824 The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | CVSS3: 6.1 | 46% Средний | около 6 лет назад |
| CVE-2019-3399 The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | CVSS3: 7.5 | 1% Низкий | около 6 лет назад |
| BDU:2023-00492 Уязвимость реализации класса CachingResourceDownloadRewriteRule системы отслеживания ошибок Jira, позволяющая нарушителю получить доступ к файлам в корневом каталоге | CVSS3: 7.5 | 93% Критический | больше 6 лет назад |
Уязвимостей на страницу