Vulnerability identifier: #VU31133
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-611
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Crowd
Server applications /
Directory software, identity management
Vendor: Atlassian
Description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Crowd: 3.0.0 - 3.0.1
External links
http://jira.atlassian.com/browse/CWD-5070
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.