Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3366

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.5.4, 2.7, 2.6.3
    • 2.3.8, 2.5.3, 2.6.2, 2.4.9
    • SOAP


      This issue has been assigned CVE-2013-3925 by Mitre Corporation.
      Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
      The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).


      An successful attack requires direct access to Crowd REST interface. As a result, only standalone Crowd servers are affected.

      A common configuration where an internal Crowd server is used by an Internet-facing Confluence, JIRA or other products is not vulnerable to an attack from the Internet.


      Please upgrade Crowd to 2.5.4 or 2.6.3. The issue has been resolved in these versions.


      For older versions of Crowd there is a patched version of xfire-servlet.xml available attached to this ticket. It needs to replace the existing one inside a jar in your installation. See here for instructions for how to apply the patch.

      If you use Web Application Firewalls, Apache ACLs or similar technology, you can filter access to /crowd/services.

      Patching Instructions moved up here from comment as comment is collapsed.

      Patch instructions

      As well as the Fix Versions, this can be patched in older versions if you are unable to upgrade. The fix requires replacing the xfire-servlet.xml file in the crowd-server jar.


      The corrected version of the file can be used with Crowd 2.3.7, 2.4.1 or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.

      For example, for Crowd 2.4.2:

      zip -u atlassian-crowd-2.4.2/crowd-webapp/WEB-INF/lib/crowd-server-2.4.2.jar xfire-servlet.xml

      Or you can simply copy the attached xfire-servlet.xml to crowd-webapp/WEB-INF/classes, followed by a Crowd restart.

      Older versions

      With versions 2.1.2 or 2.2.9, unzip the file and manually edit it to remove all urlMap entries other than the first key="/*" entry:

           <bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
               <property name="urlMap">
                       <entry key="/*" value-ref="securityServerService"/>
      -                <entry key="/1/*" value-ref="securityServerService"/>
      -                <entry key="/2/*" value-ref="securityServerService2"/>
      -                <entry key="/latest/*" value-ref="securityServerService2"/>

      We have documented a security notice regarding this matter at - Crowd Security Notice 2013-07-01

            Unassigned Unassigned
            06d2553cda0e Thomas Richards
            0 Vote for this issue
            29 Start watching this issue