CVE-2013-3925

Name of the Vulnerable Software and Affected Versions Atlassian Crowd versions 2.3.8 Atlassian Crowd versions 2.4.9 Atlassian Crowd versions 2.5.x through 2.5.3 Atlassian Crowd versions 2.6.x through 2.6.2

Description The issue allows remote attackers to read arbitrary files and send HTTP requests to intranet servers. This is achieved by sending a request to API endpoints such as "/services/2" or "services/latest" with a DTD containing an XML external entity declaration in conjunction with an entity reference.

Recommendations For Atlassian Crowd version 2.3.8, update to a version later than 2.3.8. For Atlassian Crowd version 2.4.9, update to a version later than 2.4.9. For Atlassian Crowd versions 2.5.x through 2.5.3, update to version 2.5.4 or later. For Atlassian Crowd versions 2.6.x through 2.6.2, update to version 2.6.3 or later. As a temporary workaround, consider restricting access to the API endpoints "/services/2" and "services/latest" to minimize the risk of exploitation.