Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5070

The administration backup restore resource was vulnerable to XXE - CVE-2017-18110

XMLWordPrintable

      The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.

            [CWD-5070] The administration backup restore resource was vulnerable to XXE - CVE-2017-18110

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 2642982 ] New: JAC Bug Workflow v3 [ 3365680 ]
            David Black made changes -
            Summary Original: The administration backup restore resource was vulnerable to XXE New: The administration backup restore resource was vulnerable to XXE - CVE-2017-18110
            David Black made changes -
            Labels Original: advisory advisory-released bugbounty cvss-medium injection security xxe New: CVE-2017-18110 advisory advisory-released bugbounty cvss-medium injection security xxe
            David Black made changes -
            Description Original: The administration backup restore resource in Atlassian Crowd before version 3.0.2 allows remote attackers to read files from the filesystem via a XXE vulnerability. New: The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
            Owen made changes -
            Symptom Severity Original: Major [ 14431 ] New: Severity 2 - Major [ 15831 ]
            David Black made changes -
            Priority Original: Low [ 4 ] New: Medium [ 3 ]
            David Black made changes -
            Labels Original: advisory advisory-to-release breaches-security-sla bugbounty cvss-medium injection security xxe New: advisory advisory-released bugbounty cvss-medium injection security xxe
            Marcin Kempa made changes -
            Security Original: Atlassian Staff [ 10750 ]
            Security Metrics Bot made changes -
            Due Date New: 03/May/2018
            David Black made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Open [ 1 ] New: Closed [ 6 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: