[CWD-2797] XML Vulnerability in Crowd

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.0.9, 2.1.2, 2.2.9, 2.3.7, 2.4.1
Affects Version/s: 2.0, 2.1, 2.2, 2.3, 2.4
Component/s: REST, SOAP
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a vulnerability in Crowd that results from the way XML parsers are used. This vulnerability allows an attacker to:

Execute denial of service attacks against the Crowd server, or
Read all local files readable to the system user under which Crowd runs.

All versions of Crowd up to and including 2.4.0 are affected by this vulnerability.

Full details of the severity, risks and vulnerability can be found in the Crowd Security Advisory 2012-05-17.

mentioned in: Crowd Security Advisory 2012-05-17; Crowd Security Advisory 2012-05-17; Crowd Security Advisory 2012-05-17; Crowd Security Advisory 2012-05-17; Crowd Security Advisory 2012-05-17; Page Loading...; Page Loading...; Page Loading...; Wiki Page Loading...; Wiki Page Loading...; Wiki Page Loading...; Wiki Page Loading...

(7 mentioned in)

Form Name

VitalyA added a comment - 20/Apr/2012 5:20 AM

To install the patch, navigate to the atlassian-crowd-x.x.x (where x.x.x is the Crowd version) directory and unzip the patch file.

Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first.

VitalyA added a comment - 20/Apr/2012 5:20 AM To install the patch, navigate to the atlassian-crowd-x.x.x (where x.x.x is the Crowd version) directory and unzip the patch file. Note, the patches are only available for the point release indicated. If you are using an earlier point release for a major version, you must upgrade to the latest point release first.

joe added a comment - 26/Mar/2012 6:57 AM - edited

Patches for the most recent point release of the current and previous version are here:

joe added a comment - 26/Mar/2012 6:57 AM - edited Patches for the most recent point release of the current and previous version are here: http://downloads.atlassian.com/software/crowd/downloads/patch/patch-CWD-2797-2.3.6.zip http://downloads.atlassian.com/software/crowd/downloads/patch/patch-CWD-2797-2.4.0.zip

Assignee:: VitalyA

Reporter:: joe

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 26/Mar/2012 6:55 AM

Updated:: 15/Aug/2019 7:05 AM

Resolved:: 12/Apr/2012 8:31 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: VitalyA added a comment - 20/Apr/2012 5:20 AM

Expand comment: VitalyA added a comment - 20/Apr/2012 5:20 AM

Collapse comment: joe added a comment - 26/Mar/2012 6:57 AM, Edited by joe - 20/Apr/2012 6:13 AM

Expand comment: joe added a comment - 26/Mar/2012 6:57 AM, Edited by joe - 20/Apr/2012 6:13 AM

People

Dates