Bug Bounties
Atlassian

Atlassian

bugcrowd.com →
Bounty Full Safe Harbor Up to USD $12,000

Program Details

Managed
Yes
Allows Disclosure
No

Scope (50 targets)

web: 29 mobile: 10 api: 1 other: 10

In Scope

  • Atlassian Guard Standard and Premium (https://admin.atlassian.com/atlassian-guard) web bounty-eligible
  • Atlassian Admin (https://admin.atlassian.com/) web bounty-eligible
  • Atlassian Identity (https://id.atlassian.com/login) web bounty-eligible
  • Atlassian Start (https://start.atlassian.com) web bounty-eligible
  • Bitbucket Cloud including Bitbucket Pipelines (https://bitbucket.org) web bounty-eligible
  • Confluence Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) web bounty-eligible
  • Confluence Cloud Premium (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) web bounty-eligible
  • Confluence Cloud Mobile App for Android mobile bounty-eligible
  • Confluence Cloud Mobile App for iOS mobile bounty-eligible
  • Jira Cloud Mobile App for Android mobile bounty-eligible
  • Jira Cloud Mobile App for iOS mobile bounty-eligible
  • Jira Service Management Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net) web bounty-eligible
  • Jira Software Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net) web bounty-eligible
  • Jira Work Management Cloud formerly Jira Core (bugbounty-test-<bugcrowd-name>.atlassian.net) web bounty-eligible
  • Any associated *.atlassian.com or *.atl-paas.net domain that can be exploited DIRECTLY from the *.atlassian.net instance other bounty-eligible
  • Rovo web bounty-eligible
  • Rovo Dev CLI other bounty-eligible
  • Other Rovo Dev web bounty-eligible
  • Atlassian MCP Server other bounty-eligible
  • Atlassian Compass web bounty-eligible
  • and 30 more targets

Out of Scope

Any internal or development services., First and third party apps and plugins from the marketplace are excluded from this bounty but may be in scope for https://bugcrowd.com/atlassianapps, shop.atlassian.com, bytebucket.org, *.bitbucket.io, https://blog.bitbucket.org, HipChat (inc. HipChat Data Center, HipChat Desktop, HipChat Mobile), Stride (inc. Stride Video, Stride Desktop, Stride Mobile), support.atlassian.com, Any customer instance. Do not test customer instances or affect customer data. Customer cloud instances may be in the form of <customer>.atlassian.net or <customer>.jira.com. Test only your own instances., Any repository that you are not an owner of - do not impact Atlassian customers in any way., support.loom.com, info.loom.com

Known Exploited Vulnerabilities 13CVEs

8 linked to ransomware campaigns

  • CVE-2021-26086Jira Server and Data CenterNov 12, 202494.2% EPSS

    Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.

  • CVE-2023-22527Confluence Data Center and ServerJan 24, 202494.4% EPSS

    Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

  • CVE-2023-22518Confluence Data Center and ServerNov 7, 202394.4% EPSS

    Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an unauthenticated attacker. There is no impact on confidentiality since the attacker cannot exfiltrate any data.

  • CVE-2023-22515Confluence Data Center and ServerOct 5, 202394.3% EPSS

    Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.

  • CVE-2022-36804Bitbucket Server and Data CenterSep 30, 202294.4% EPSS

    Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

  • CVE-2022-26138ConfluenceJul 29, 202294.3% EPSS

    Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.

  • CVE-2022-26134Confluence Server/Data CenterJun 2, 202294.4% EPSS

    Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.

  • CVE-2021-26085Confluence ServerMar 28, 202294.0% EPSS

    Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint.

  • CVE-2019-11581Jira Server and Data CenterMar 7, 202294.4% EPSS

    Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution.

  • CVE-2019-3398Confluence Server and Data CenterNov 3, 202193.9% EPSS

    Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can lead to remote code execution.

and 3 more - view full CISA catalog →

Additional Info

Sources
bugcrowd