CVE-2017-18111
Summary
| CVE | CVE-2017-18111 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-03-29 14:29:00 UTC |
| Updated | 2019-04-01 18:41:00 UTC |
| Description | The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability. |
Risk And Classification
Problem Types: CWE-611
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Atlassian | Application Links | All | All | All | All |
| Application | Atlassian | Application Links | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [APL-1338] The OAuthHelper in Applinks should safely create a document builder when consuming a client OAuth request - CVE-2017-18111 - Ecosystem Jira | MISC | ecosystem.atlassian.net | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.