#VU31133 XML External Entity injection in Crowd Server - CVE-2017-18110 

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU31133

#VU31133 XML External Entity injection in Crowd Server - CVE-2017-18110

Published: March 29, 2019 / Updated: July 17, 2020


Vulnerability identifier: #VU31133
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-18110
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vulnerable software:
Crowd Server
Software vendor:
Atlassian

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.


Remediation

Install update from vendor's website.

External links