Xxe

2013-07-0121:55:00

PRIOn knowledge base

www.prio-n.com

7.2 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

69.4%

JSON

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML external entity declaration in conjunction with an entity reference.

CPENameOperatorVersion
crowdeq2.5.2
crowdeq2.5.1
crowdeq2.5.3
crowdeq2.5.0
crowdeq2.6.0
crowdeq2.6.1
crowdeq2.6.2
crowdeq2.4.9
crowdeq2.3.8

Name	Operator	Version
crowd	eq	2.5.2
crowd	eq	2.5.1
crowd	eq	2.5.3
crowd	eq	2.5.0
crowd	eq	2.6.0
crowd	eq	2.6.1
crowd	eq	2.6.2
crowd	eq	2.4.9
crowd	eq	2.3.8

References

www.commandfive.com/papers/C5_TA_2013_3925_AtlassianCrowd.pdf

jira.atlassian.com/browse/CWD-3366