CVE-2018-20233

6.5MEDIUM

Key Information:

Vendor: Atlassian
Status: Universal Plugin Manager
Vendor: CVE Published:; 18 January 2019

Summary

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.

Affected Version(s)

Universal Plugin Manager < 2.22.14

References

http://www.securityfocus.com/bid/106661

vdb-entryx_refsource_BID

https://ecosystem.atlassian.net/browse/UPM-5964

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 18, 2019
Vulnerability Reserved
Dec 19, 2018