Main Vulnerability Database Vulnerabilities #VU31133

XML External Entity injection in Crowd Server - CVE-2017-18110

Published: March 29, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU31133

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-18110

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Atlassian

Affected software:
Crowd Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.

How to mitigate CVE-2017-18110

Install update from vendor's website.

Sources

https://jira.atlassian.com/browse/CWD-5070

XML External Entity injection in Crowd Server - CVE-2017-18110

Detailed vulnerability description

How to mitigate CVE-2017-18110

Sources

Please verify you're human