XML External Entity Vulnerability in Atlassian Application Links
CVE-2017-18111

8.7HIGH

Key Information:

Vendor: Atlassian
Status: Application Links
Vendor: CVE Published:; 29 March 2019

Summary

The OAuthHelper component within Atlassian Application Links prior to version 5.0.10 and specific versions between 5.1.0 and 5.2.6 is susceptible to an XML External Entity (XXE) vulnerability. This flaw arises when processing XML documents from client OAuth requests, allowing attackers to exploit this weakness to probe internal network resources, read sensitive file contents, and potentially trigger out of memory exceptions, compromising system availability.

Affected Version(s)

Application Links < 5.0.10

Application Links 5.1.0

Application Links < 5.1.3

References

https://ecosystem.atlassian.net/browse/APL-1338

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 29, 2019
Vulnerability Reserved
Feb 1, 2018