CVE-2017-18111

8.7HIGH

Key Information:

Vendor: Atlassian
Status: Application Links
Vendor: CVE Published:; 29 March 2019

Summary

The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability.

Affected Version(s)

Application Links < 5.0.10

Application Links 5.1.0

Application Links < 5.1.3

References

https://ecosystem.atlassian.net/browse/APL-1338

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 29, 2019
Vulnerability Reserved
Feb 1, 2018