PT-2019-8260 · Atlassian · Application Links
Published
2019-03-29
·
Updated
2019-04-01
·
CVE-2017-18111
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Atlassian Application Links versions 5.0.0 through 5.0.9
Atlassian Application Links versions 5.1.0 through 5.1.2
Atlassian Application Links versions 5.2.0 through 5.2.5
Description
The issue allows malicious OAuth application linked applications to probe internal network resources, read the contents of files, and cause an out of memory exception affecting availability via an XML External Entity vulnerability. This occurs because the OAuthHelper in Atlassian Application Links used an XML document builder that was vulnerable to XXE when consuming a client OAuth request.
Recommendations
For versions 5.0.0 through 5.0.9, update to version 5.0.10 or later.
For versions 5.1.0 through 5.1.2, update to version 5.1.3 or later.
For versions 5.2.0 through 5.2.5, update to version 5.2.6 or later.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Application Links