Published: 01/07/2013 Updated: 14/02/2024

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Atlassian Crowd 2.5.x prior to 2.5.4, 2.6.x prior to 2.6.3, 2.3.8, and 2.4.9 allows remote malicious users to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML external entity declaration in conjunction with an entity reference.

Vulnerable Product	Search on Vulmon	Subscribe to Product
atlassian crowd 2.5.2
atlassian crowd 2.5.1
atlassian crowd 2.5.3
atlassian crowd 2.5.0
atlassian crowd 2.6.0
atlassian crowd 2.6.1
atlassian crowd 2.6.2
atlassian crowd 2.4.9
atlassian crowd 2.3.8

Atlassian plugs XML parsing vulnerability

The Register • Richard Chirgwin • 01 Jul 2013

Denies reports of a second vuln

Cloud provider Atlassian has moved to patch what a security researcher describes as a backdoor in its enterprise single sign-on Crowd service. However, the company is disputing Command Five's assertion that a second, as-yet-unpatched vulnerability remains. Command Five's advisory states that XML DTD (document type definition) parsing gave attackers a means to “retrieve files from the target network, make HTTP requests on the target network, or carry out a Denial of Service attack.” As the ad...

CVE-2013-3925

Vulnerability Summary

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect