Multiple Atlassian Products XML Parsing Denial of Service Vulnerability

Bugtraq ID:	53595
Class:	Unknown
CVE:	CVE-2012-2926 CVE-2012-2927 CVE-2012-2928
Remote:	Yes
Local:	No
Published:	May 17 2012 12:00AM
Updated:	Mar 19 2015 07:35AM
Credit:	Reported by the vendor
Vulnerable:	Atlassian Tempo 6.4.3 Atlassian JIRA 5.0 0 Atlassian Gliffy 3.7.0
Not Vulnerable:	Atlassian Tempo 7.0.3 0 Atlassian Tempo 6.5.1 0 Atlassian Tempo 6.4.3.1 0 Atlassian JIRA 5.0.1 0 Atlassian Gliffy 3.7.1 0

Multiple Atlassian Products XML Parsing Denial of Service Vulnerability

JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.

The following versions are affected:

Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable.

Multiple Atlassian Products XML Parsing Denial of Service Vulnerability

The following exploit is available:

• /data/vulnerabilities/exploits/53595.txt

Multiple Atlassian Products XML Parsing Denial of Service Vulnerability

Solution:
Updates are available. Please see the references for more information.

Multiple Atlassian Products XML Parsing Denial of Service Vulnerability

References:

• JRA-27719: XML Vulnerability in JIRA (Atlassian)
  
• Atlassian JIRA Homepage (Atlassian)
  
• JIRA Security Advisory 2012-05-17 (Atlassian)