Main Vulnerability Database Vulnerabilities #VU39218

Deserialization of Untrusted Data in Jira Software - CVE-2017-5983

Published: April 10, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39218

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-5983

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Atlassian

Affected software:
Jira Software

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

How to mitigate CVE-2017-5983

Install update from vendor's website.

Sources

http://codewhitesec.blogspot.com/2017/04/amf.html
http://www.securityfocus.com/bid/97379
https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html
https://jira.atlassian.com/browse/JRASERVER-64077
https://www.kb.cert.org/vuls/id/307983

Deserialization of Untrusted Data in Jira Software - CVE-2017-5983

Detailed vulnerability description

How to mitigate CVE-2017-5983

Sources

Please verify you're human