Search

Find a vulnerability

Search criteria

    28 vulnerabilities found for Jira Server and Data Center by Atlassian

    CVE-2020-4029 (GCVE-0-2020-4029)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 17:54
    VLAI
    Summary
    The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Improper authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.7.2 (custom)
    Affected: 8.8.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.799Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:29.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4029",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.7.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.8.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70926",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4029",
        "datePublished": "2020-07-01T01:35:29.763Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:54:34.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4025 (GCVE-0-2020-4025)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 22:03
    VLAI
    Summary
    The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.1 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.714Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71114"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:28.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71114"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4025",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71114",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71114"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4025",
        "datePublished": "2020-07-01T01:35:28.857Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:03:15.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4024 (GCVE-0-2020-4024)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 17:15
    VLAI
    Summary
    The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.795Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71113"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:28.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71113"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4024",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71113",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71113"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4024",
        "datePublished": "2020-07-01T01:35:28.416Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:15:19.346Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4022 (GCVE-0-2020-4022)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-17 03:43
    VLAI
    Summary
    The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.721Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71107"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:27.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71107"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4022",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71107",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71107"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4022",
        "datePublished": "2020-07-01T01:35:27.992Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:43:04.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14169 (GCVE-0-2020-14169)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 20:28
    VLAI
    Summary
    The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.191Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71205"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:27.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71205"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14169",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71205",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71205"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14169",
        "datePublished": "2020-07-01T01:35:27.569Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:28:10.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14168 (GCVE-0-2020-14168)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 18:02
    VLAI
    Summary
    The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Man-in-the-Middle (MitM)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 7.13.16 (custom)
    Affected: 8.5.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.7 (custom)
    Affected: 8.8.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.072Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71198"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.16",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Man-in-the-Middle (MitM)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:27.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71198"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14168",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.16"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.5.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.8.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Man-in-the-Middle (MitM)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71198",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71198"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14168",
        "datePublished": "2020-07-01T01:35:27.144Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:02:52.905Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14167 (GCVE-0-2020-14167)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-17 00:57
    VLAI
    Summary
    The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service (DoS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 7.13.14 (custom)
    Affected: 8.5.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.8.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:35.976Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71197"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.14",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service (DoS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:26.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71197"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14167",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.14"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.5.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.8.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (DoS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71197",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71197"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14167",
        "datePublished": "2020-07-01T01:35:26.668Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:57:08.846Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14165 (GCVE-0-2020-14165)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 22:26
    VLAI
    Summary
    The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Improper authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.9.0 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.024Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.9.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:25.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14165",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71185",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14165",
        "datePublished": "2020-07-01T01:35:25.806Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:26:41.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14164 (GCVE-0-2020-14164)

    Vulnerability from nvd – Published: 2020-07-01 01:35 – Updated: 2024-09-16 16:59
    VLAI
    Summary
    The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
    Severity
    No CVSS data available.
    CWE
    • Cross Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.8.2 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.137Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71184"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:25.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71184"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14164",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71184",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71184"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14164",
        "datePublished": "2020-07-01T01:35:25.329Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:59:07.646Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4028 (GCVE-0-2020-4028)

    Vulnerability from nvd – Published: 2020-06-23 12:55 – Updated: 2024-09-16 16:48
    VLAI
    Summary
    Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Sensitive Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-06-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.916Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71175"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Sensitive Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-23T12:55:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71175"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-06-17T00:00:00",
              "ID": "CVE-2020-4028",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Sensitive Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71175",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71175"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4028",
        "datePublished": "2020-06-23T12:55:12.201Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:48:18.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4021 (GCVE-0-2020-4021)

    Vulnerability from nvd – Published: 2020-06-01 06:35 – Updated: 2024-09-16 16:47
    VLAI
    Summary
    Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.1 (custom)
    Create a notification for this product.
    Date Public
    2020-04-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.541Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70923"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-04-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-01T06:35:33.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70923"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-04-23T00:00:00",
              "ID": "CVE-2020-4021",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70923",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70923"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4021",
        "datePublished": "2020-06-01T06:35:33.848Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:47:43.937Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20105 (GCVE-0-2019-20105)

    Vulnerability from nvd – Published: 2020-03-17 02:40 – Updated: 2024-09-16 19:25
    VLAI
    Summary
    The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Application Links Affected: unspecified , < 5.4.20 (custom)
    Affected: 6.0.0 , < unspecified (custom)
    Affected: unspecified , < 6.0.12 (custom)
    Affected: 7.0.0 , < unspecified (custom)
    Affected: unspecified , < 7.0.1 (custom)
    Affected: 7.1.0 , < unspecified (custom)
    Affected: unspecified , < 7.1.3 (custom)
    Create a notification for this product.
    Atlassian Jira Server and Data Center Affected: 7.13.8 , < unspecified (custom)
    Affected: unspecified , < 7.13.12 (custom)
    Affected: 8.4.2 , < unspecified (custom)
    Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Date Public
    2020-03-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:32:10.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1391"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70526"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.4.20",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.0.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.13.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.4.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\u0027s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \"WebSudo\" in products that support \"WebSudo\" through an improper access control vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-17T02:40:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1391"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70526"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-03-17T00:00:00",
              "ID": "CVE-2019-20105",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.20"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "6.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "6.0.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.0.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.1.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.13.8"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.4.2"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\u0027s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \"WebSudo\" in products that support \"WebSudo\" through an improper access control vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1391",
                  "refsource": "MISC",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1391"
                },
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70526",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70526"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20105",
        "datePublished": "2020-03-17T02:40:13.819Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:25:54.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20106 (GCVE-0-2019-20106)

    Vulnerability from nvd – Published: 2020-02-06 03:10 – Updated: 2024-09-17 02:12
    VLAI
    Summary
    Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 7.13.12 (custom)
    Affected: 8.4.1 , < unspecified (custom)
    Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Date Public
    2020-02-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:32:10.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70543"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.4.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-02-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-06T03:10:25.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70543"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-02-05T00:00:00",
              "ID": "CVE-2019-20106",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.4.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70543",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70543"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20106",
        "datePublished": "2020-02-06T03:10:25.647Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:12:10.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11581 (GCVE-0-2019-11581)

    Vulnerability from nvd – Published: 2019-08-09 19:30 – Updated: 2025-10-21 23:45
    Summary
    There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Template injection
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: 4.4.0 , < unspecified (custom)
    Affected: unspecified , < 7.6.14 (custom)
    Affected: 7.7.0 , < unspecified (custom)
    Affected: unspecified , < 7.13.5 (custom)
    Affected: 8.0.0 , < unspecified (custom)
    Affected: unspecified , < 8.0.3 (custom)
    Affected: 8.1.0 , < unspecified (custom)
    Affected: unspecified , < 8.1.2 (custom)
    Affected: 8.2.0 , < unspecified (custom)
    Affected: unspecified , < 8.2.3 (custom)
    Create a notification for this product.
    Date Public
    2019-07-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:55:40.874Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-69532"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-11581",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T12:28:21.195049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2022-03-07",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-74",
                    "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:45:32.328Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2022-03-07T00:00:00.000Z",
                "value": "CVE-2019-11581 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.6.14",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.13.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.0.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.1.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.2.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Template injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-09T19:30:59.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-69532"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-07-10T10:00:00",
              "ID": "CVE-2019-11581",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "4.4.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.6.14"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.0.3"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.1.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.2.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.2.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Template injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-69532",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-69532"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-11581",
        "datePublished": "2019-08-09T19:30:59.317Z",
        "dateReserved": "2019-04-29T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:45:32.328Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4029 (GCVE-0-2020-4029)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 17:54
    VLAI
    Summary
    The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Improper authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.7.2 (custom)
    Affected: 8.8.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.799Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:29.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4029",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.7.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.8.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70926",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4029",
        "datePublished": "2020-07-01T01:35:29.763Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:54:34.534Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4025 (GCVE-0-2020-4025)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 22:03
    VLAI
    Summary
    The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.1 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.714Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71114"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:28.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71114"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4025",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71114",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71114"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4025",
        "datePublished": "2020-07-01T01:35:28.857Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:03:15.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4024 (GCVE-0-2020-4024)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 17:15
    VLAI
    Summary
    The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.795Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71113"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:28.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71113"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4024",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71113",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71113"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4024",
        "datePublished": "2020-07-01T01:35:28.416Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:15:19.346Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4022 (GCVE-0-2020-4022)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-17 03:43
    VLAI
    Summary
    The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.721Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71107"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:27.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71107"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-4022",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71107",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71107"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4022",
        "datePublished": "2020-07-01T01:35:27.992Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:43:04.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14169 (GCVE-0-2020-14169)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 20:28
    VLAI
    Summary
    The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.191Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71205"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:27.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71205"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14169",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71205",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71205"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14169",
        "datePublished": "2020-07-01T01:35:27.569Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:28:10.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14168 (GCVE-0-2020-14168)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 18:02
    VLAI
    Summary
    The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Man-in-the-Middle (MitM)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 7.13.16 (custom)
    Affected: 8.5.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.7 (custom)
    Affected: 8.8.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.072Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71198"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.16",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Man-in-the-Middle (MitM)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:27.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71198"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14168",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.16"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.5.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.8.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Man-in-the-Middle (MitM)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71198",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71198"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14168",
        "datePublished": "2020-07-01T01:35:27.144Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:02:52.905Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14167 (GCVE-0-2020-14167)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-17 00:57
    VLAI
    Summary
    The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service (DoS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 7.13.14 (custom)
    Affected: 8.5.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.8.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.2 (custom)
    Affected: 8.9.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:35.976Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71197"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.14",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service (DoS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:26.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71197"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14167",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.14"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.5.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.8.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.9.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application\u0027s availability via an Denial of Service (DoS) vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (DoS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71197",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71197"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14167",
        "datePublished": "2020-07-01T01:35:26.668Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:57:08.846Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14165 (GCVE-0-2020-14165)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 22:26
    VLAI
    Summary
    The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Improper authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.9.0 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.024Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.9.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:25.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14165",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71185",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14165",
        "datePublished": "2020-07-01T01:35:25.806Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:26:41.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14164 (GCVE-0-2020-14164)

    Vulnerability from cvelistv5 – Published: 2020-07-01 01:35 – Updated: 2024-09-16 16:59
    VLAI
    Summary
    The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
    Severity
    No CVSS data available.
    CWE
    • Cross Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.8.2 (custom)
    Create a notification for this product.
    Date Public
    2020-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.137Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71184"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.8.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-01T01:35:25.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71184"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-01T00:00:00",
              "ID": "CVE-2020-14164",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71184",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71184"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14164",
        "datePublished": "2020-07-01T01:35:25.329Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:59:07.646Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4028 (GCVE-0-2020-4028)

    Vulnerability from cvelistv5 – Published: 2020-06-23 12:55 – Updated: 2024-09-16 16:48
    VLAI
    Summary
    Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Sensitive Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.9.1 (custom)
    Create a notification for this product.
    Date Public
    2020-06-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.916Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71175"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Sensitive Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-23T12:55:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71175"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-06-17T00:00:00",
              "ID": "CVE-2020-4028",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Sensitive Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71175",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71175"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4028",
        "datePublished": "2020-06-23T12:55:12.201Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:48:18.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-4021 (GCVE-0-2020-4021)

    Vulnerability from cvelistv5 – Published: 2020-06-01 06:35 – Updated: 2024-09-16 16:47
    VLAI
    Summary
    Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 8.5.5 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.8.1 (custom)
    Create a notification for this product.
    Date Public
    2020-04-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T07:52:20.541Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70923"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.8.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-04-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-01T06:35:33.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70923"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-04-23T00:00:00",
              "ID": "CVE-2020-4021",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70923",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70923"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-4021",
        "datePublished": "2020-06-01T06:35:33.848Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:47:43.937Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20105 (GCVE-0-2019-20105)

    Vulnerability from cvelistv5 – Published: 2020-03-17 02:40 – Updated: 2024-09-16 19:25
    VLAI
    Summary
    The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Application Links Affected: unspecified , < 5.4.20 (custom)
    Affected: 6.0.0 , < unspecified (custom)
    Affected: unspecified , < 6.0.12 (custom)
    Affected: 7.0.0 , < unspecified (custom)
    Affected: unspecified , < 7.0.1 (custom)
    Affected: 7.1.0 , < unspecified (custom)
    Affected: unspecified , < 7.1.3 (custom)
    Create a notification for this product.
    Atlassian Jira Server and Data Center Affected: 7.13.8 , < unspecified (custom)
    Affected: unspecified , < 7.13.12 (custom)
    Affected: 8.4.2 , < unspecified (custom)
    Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Date Public
    2020-03-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:32:10.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ecosystem.atlassian.net/browse/APL-1391"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70526"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Application Links",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "5.4.20",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.0.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.0.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.13.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.4.2",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\u0027s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \"WebSudo\" in products that support \"WebSudo\" through an improper access control vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-17T02:40:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ecosystem.atlassian.net/browse/APL-1391"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70526"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-03-17T00:00:00",
              "ID": "CVE-2019-20105",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Application Links",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "5.4.20"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "6.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "6.0.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.0.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.1.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.13.8"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.4.2"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\u0027s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \"WebSudo\" in products that support \"WebSudo\" through an improper access control vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ecosystem.atlassian.net/browse/APL-1391",
                  "refsource": "MISC",
                  "url": "https://ecosystem.atlassian.net/browse/APL-1391"
                },
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70526",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70526"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20105",
        "datePublished": "2020-03-17T02:40:13.819Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:25:54.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20106 (GCVE-0-2019-20106)

    Vulnerability from cvelistv5 – Published: 2020-02-06 03:10 – Updated: 2024-09-17 02:12
    VLAI
    Summary
    Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: unspecified , < 7.13.12 (custom)
    Affected: 8.4.1 , < unspecified (custom)
    Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Date Public
    2020-02-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:32:10.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70543"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.4.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-02-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-06T03:10:25.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70543"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-02-05T00:00:00",
              "ID": "CVE-2019-20106",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.4.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70543",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70543"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20106",
        "datePublished": "2020-02-06T03:10:25.647Z",
        "dateReserved": "2019-12-30T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:12:10.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11581 (GCVE-0-2019-11581)

    Vulnerability from cvelistv5 – Published: 2019-08-09 19:30 – Updated: 2025-10-21 23:45
    Summary
    There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Template injection
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server and Data Center Affected: 4.4.0 , < unspecified (custom)
    Affected: unspecified , < 7.6.14 (custom)
    Affected: 7.7.0 , < unspecified (custom)
    Affected: unspecified , < 7.13.5 (custom)
    Affected: 8.0.0 , < unspecified (custom)
    Affected: unspecified , < 8.0.3 (custom)
    Affected: 8.1.0 , < unspecified (custom)
    Affected: unspecified , < 8.1.2 (custom)
    Affected: 8.2.0 , < unspecified (custom)
    Affected: unspecified , < 8.2.3 (custom)
    Create a notification for this product.
    Date Public
    2019-07-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:55:40.874Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-69532"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-11581",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T12:28:21.195049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2022-03-07",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-74",
                    "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:45:32.328Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2022-03-07T00:00:00.000Z",
                "value": "CVE-2019-11581 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server and Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "4.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.6.14",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "7.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "7.13.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.0.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.1.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.2.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Template injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-09T19:30:59.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-69532"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-07-10T10:00:00",
              "ID": "CVE-2019-11581",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server and Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "4.4.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.6.14"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "7.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.5"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.0.3"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.1.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.2.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.2.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Template injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-69532",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-69532"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-11581",
        "datePublished": "2019-08-09T19:30:59.317Z",
        "dateReserved": "2019-04-29T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:45:32.328Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }