CVE-2021-39113
https://notcve.org/view.php?id=CVE-2021-39113
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos anónimos seguir visualizando el contenido en caché incluso después de perder los permisos, por medio de una vulnerabilidad de Control de Acceso Roto en la funcionalidad allowlist. Las versiones afectadas son versiones anteriores a 8.13.9, y desde versiones 8.14.0 anteriores a 8.18.0. • https://jira.atlassian.com/browse/JRASERVER-72573 • CWE-613: Insufficient Session Expiration •
CVE-2017-18113
https://notcve.org/view.php?id=CVE-2017-18113
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. La clase DefaultOSWorkflowConfigurator en Jira Server y Jira Data Center versiones anteriores a 8.18.1, permite a atacantes remotos que pueden engañar a un administrador del sistema para importar su workflow malicioso para ejecutar código arbitrario a través de una vulnerabilidad de Ejecución de Código Remota (RCE). • https://jira.atlassian.com/browse/JRASERVER-72660 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2020-36287
https://notcve.org/view.php?id=CVE-2020-36287
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. El recurso de preferencia de gadgets del panel de control del plugin de gadgets de Atlassian usado en Jira Server y Jira Data Center versiones anteriores a 8.13.5, y desde versión 8.14.0 anterior a 8.15.1, permite a atacantes remotos y anónimos obtener configuraciones relacionadas con gadgets por medio de una falta de comprobación de permisos • https://github.com/f4rber/CVE-2020-36287 https://jira.atlassian.com/browse/JRASERVER-72258 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVE-2021-26070
https://notcve.org/view.php?id=CVE-2021-26070
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. Versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos evadir una protección detrás del firewall de los recursos app-linked por medio de una vulnerabilidad de Autenticación Rota en el recurso de gadget "makeRequest". Las versiones afectadas son anteriores a 8.13.3 y desde versión 8.14.0 anteriores a 8.14.1 • https://jira.atlassian.com/browse/JRASERVER-72029 • CWE-287: Improper Authentication •
CVE-2020-36237
https://notcve.org/view.php?id=CVE-2020-36237
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos no autenticados visualizar opciones de campo personalizadas por medio de una vulnerabilidad de divulgación de información en el endpoint /rest/api/2/customFieldOption/. Las versiones afectadas son anteriores a la versión 8.15.0 • https://jira.atlassian.com/browse/JRASERVER-72064 •