Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Atlassian Application Links by Atlassian

    CVE-2018-20239 (GCVE-0-2018-20239)

    Vulnerability from nvd – Published: 2019-04-30 15:28 – Updated: 2024-09-16 20:01
    VLAI
    Summary
    Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
    Severity
    No CVSS data available.
    CWE
    • Cross Site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Atlassian Application Links Affected: unspecified , < 5.0.11 (custom)
    Affected: 5.1.0 , < unspecified (custom)
    Affected: unspecified , < 5.2.10 (custom)
    Affected: 5.3.0 , < unspecified (custom)
    Affected: unspecified , < 5.3.6 (custom)
    Affected: 5.4.0 , < unspecified (custom)
    Affected: unspecified , < 5.4.12 (custom)
    Affected: 6.0.0 , < unspecified (custom)
    Affected: unspecified , < 6.0.4 (custom)
    Create a notification for this product.
    Date Public
    2019-04-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T11:58:18.795Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1373"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/CRUC-8379"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/FE-7161"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/CONFSERVER-58208"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/CWD-5362"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-68855"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.0.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.2.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.3.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-04-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-29T20:20:19.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1373"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/CRUC-8379"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/FE-7161"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/CONFSERVER-58208"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/CWD-5362"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-68855"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-04-29T00:00:00",
              "ID": "CVE-2018-20239",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.0.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.2.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.3.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.3.6"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.4.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "6.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "6.0.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1373",
                  "refsource": "MISC",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1373"
                },
                {
                  "name": "https://jira.atlassian.com/browse/CRUC-8379",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/CRUC-8379"
                },
                {
                  "name": "https://jira.atlassian.com/browse/FE-7161",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/FE-7161"
                },
                {
                  "name": "https://jira.atlassian.com/browse/CONFSERVER-58208",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/CONFSERVER-58208"
                },
                {
                  "name": "https://jira.atlassian.com/browse/CWD-5362",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/CWD-5362"
                },
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-68855",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-68855"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-20239",
        "datePublished": "2019-04-30T15:28:27.775Z",
        "dateReserved": "2018-12-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:01:43.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-5227 (GCVE-0-2018-5227)

    Vulnerability from nvd – Published: 2018-04-10 13:00 – Updated: 2024-09-17 01:56
    VLAI
    Summary
    Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.
    Severity
    No CVSS data available.
    CWE
    • Cross Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Atlassian Application Links Affected: unspecified , < 5.4.4 (custom)
    Create a notification for this product.
    Date Public
    2018-04-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T05:33:43.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1361"
              },
              {
                "name": "103731",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/103731"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.4.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-04-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-12T09:57:02.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1361"
            },
            {
              "name": "103731",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/103731"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-04-10T00:00:00",
              "ID": "CVE-2018-5227",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1361",
                  "refsource": "CONFIRM",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1361"
                },
                {
                  "name": "103731",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/103731"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-5227",
        "datePublished": "2018-04-10T13:00:00.000Z",
        "dateReserved": "2018-01-05T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:56:13.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-18096 (GCVE-0-2017-18096)

    Vulnerability from nvd – Published: 2018-04-04 12:00 – Updated: 2024-09-16 17:54
    VLAI
    Summary
    The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
    Severity
    No CVSS data available.
    CWE
    • Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Atlassian Application Links Affected: unspecified , < 5.2.7 (custom)
    Affected: 5.3.0 , < unspecified (custom)
    Affected: unspecified , < 5.3.4 (custom)
    Affected: 5.4.0 , < unspecified (custom)
    Affected: unspecified , < 5.4.3 (custom)
    Create a notification for this product.
    Date Public
    2018-04-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T21:13:48.177Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1359"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.2.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.3.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-04-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location\u0027s OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-04T11:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1359"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-04-04T00:00:00",
              "ID": "CVE-2017-18096",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.2.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.3.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.3.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.4.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location\u0027s OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Server-Side Request Forgery (SSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1359",
                  "refsource": "CONFIRM",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1359"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2017-18096",
        "datePublished": "2018-04-04T12:00:00.000Z",
        "dateReserved": "2018-02-01T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:54:30.699Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-20239 (GCVE-0-2018-20239)

    Vulnerability from cvelistv5 – Published: 2019-04-30 15:28 – Updated: 2024-09-16 20:01
    VLAI
    Summary
    Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.
    Severity
    No CVSS data available.
    CWE
    • Cross Site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Atlassian Application Links Affected: unspecified , < 5.0.11 (custom)
    Affected: 5.1.0 , < unspecified (custom)
    Affected: unspecified , < 5.2.10 (custom)
    Affected: 5.3.0 , < unspecified (custom)
    Affected: unspecified , < 5.3.6 (custom)
    Affected: 5.4.0 , < unspecified (custom)
    Affected: unspecified , < 5.4.12 (custom)
    Affected: 6.0.0 , < unspecified (custom)
    Affected: unspecified , < 6.0.4 (custom)
    Create a notification for this product.
    Date Public
    2019-04-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T11:58:18.795Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1373"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/CRUC-8379"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/FE-7161"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/CONFSERVER-58208"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/CWD-5362"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-68855"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.0.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.2.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.3.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-04-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-29T20:20:19.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1373"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/CRUC-8379"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/FE-7161"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/CONFSERVER-58208"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/CWD-5362"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-68855"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-04-29T00:00:00",
              "ID": "CVE-2018-20239",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.0.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.2.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.3.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.3.6"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.4.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "6.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "6.0.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1373",
                  "refsource": "MISC",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1373"
                },
                {
                  "name": "https://jira.atlassian.com/browse/CRUC-8379",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/CRUC-8379"
                },
                {
                  "name": "https://jira.atlassian.com/browse/FE-7161",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/FE-7161"
                },
                {
                  "name": "https://jira.atlassian.com/browse/CONFSERVER-58208",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/CONFSERVER-58208"
                },
                {
                  "name": "https://jira.atlassian.com/browse/CWD-5362",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/CWD-5362"
                },
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-68855",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-68855"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-20239",
        "datePublished": "2019-04-30T15:28:27.775Z",
        "dateReserved": "2018-12-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:01:43.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-5227 (GCVE-0-2018-5227)

    Vulnerability from cvelistv5 – Published: 2018-04-10 13:00 – Updated: 2024-09-17 01:56
    VLAI
    Summary
    Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.
    Severity
    No CVSS data available.
    CWE
    • Cross Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Atlassian Application Links Affected: unspecified , < 5.4.4 (custom)
    Create a notification for this product.
    Date Public
    2018-04-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T05:33:43.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1361"
              },
              {
                "name": "103731",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/103731"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.4.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-04-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-12T09:57:02.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1361"
            },
            {
              "name": "103731",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/103731"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-04-10T00:00:00",
              "ID": "CVE-2018-5227",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1361",
                  "refsource": "CONFIRM",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1361"
                },
                {
                  "name": "103731",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/103731"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-5227",
        "datePublished": "2018-04-10T13:00:00.000Z",
        "dateReserved": "2018-01-05T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:56:13.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-18096 (GCVE-0-2017-18096)

    Vulnerability from cvelistv5 – Published: 2018-04-04 12:00 – Updated: 2024-09-16 17:54
    VLAI
    Summary
    The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
    Severity
    No CVSS data available.
    CWE
    • Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Atlassian Application Links Affected: unspecified , < 5.2.7 (custom)
    Affected: 5.3.0 , < unspecified (custom)
    Affected: unspecified , < 5.3.4 (custom)
    Affected: 5.4.0 , < unspecified (custom)
    Affected: unspecified , < 5.4.3 (custom)
    Create a notification for this product.
    Date Public
    2018-04-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T21:13:48.177Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1359"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Atlassian Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.2.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.3.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-04-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location\u0027s OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-04T11:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1359"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-04-04T00:00:00",
              "ID": "CVE-2017-18096",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Atlassian Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.2.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.3.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.3.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "5.4.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location\u0027s OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Server-Side Request Forgery (SSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1359",
                  "refsource": "CONFIRM",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1359"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2017-18096",
        "datePublished": "2018-04-04T12:00:00.000Z",
        "dateReserved": "2018-02-01T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:54:30.699Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }