394
CVEs
48
Critical
113
High
10
KEV
78
PoC
91
Unpatched C/H
32.0%
Patch Rate
7.6%
Avg EPSS
Severity Breakdown
CRITICAL
48
HIGH
113
MEDIUM
224
LOW
9
Monthly CVE Trend
Affected Products (30)
Jira Server
88
Jira
83
Jira Data Center
44
Confluence Server
31
Crucible
30
Fisheye
30
Confluence
27
Data Center
24
Jira Software Data Center
23
Confluence Data Center
22
Java
16
Bamboo
13
Crowd
11
Jira Service Desk
10
Bitbucket
9
Jira Service Management
8
Open Redirect
7
In App Desktop Notifications
4
Mattermost
4
S Notify
4
Mattermost Server
4
Jira Pipeline Steps
4
Pro Macros
4
Bitbucket Data Center
3
Sourcetree
3
Questions For Confluence
3
Secure Login
3
Zephyr For Jira Test Management
3
Ofbiz
3
Companion
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2023-22515 | Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | CRITICAL | 9.8 | 94.3% | 238 |
KEV
PoC
No patch
|
| CVE-2015-5603 | The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.5%. | MEDIUM | 6.5 | 82.5% | 150 |
PoC
No patch
|
| CVE-2015-8399 | Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.0%. | MEDIUM | 4.3 | 93.0% | 135 |
PoC
No patch
|
| CVE-2012-2926 | Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.6%. | CRITICAL | 9.1 | 67.6% | 133 |
PoC
|
| CVE-2014-2314 | Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 65.8%. | MEDIUM | 4.3 | 65.8% | 122 |
PoC
No patch
|
| CVE-2019-11580 | Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 95.4% | 84 |
KEV
PoC
No patch
|
| CVE-2022-26134 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 100.0% | 84 |
KEV
PoC
|
| CVE-2023-22518 | All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 100.0% | 84 |
KEV
PoC
No patch
|
| CVE-2017-9506 | The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.0%. | MEDIUM | 6.1 | 29.0% | 79 |
PoC
No patch
|
| CVE-2022-36804 | Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available. | HIGH | 8.8 | 99.1% | 79 |
KEV
PoC
|
| CVE-2024-21683 | This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.8 | 88.3% | 79 |
PoC
No patch
|
| CVE-2017-5983 | The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 6.4% | 75 |
PoC
No patch
|
| CVE-2019-11581 | There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 84.6% | 69 |
KEV
PoC
No patch
|
| CVE-2022-0540 | A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 88.1% | 69 |
PoC
|
| CVE-2022-26133 | SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.8 | 71.1% | 69 |
PoC
|