Lucene search

MitreCVE-2012-2926

HistoryMay 22, 2012 - 3:55 p.m.

CVE-2012-2926

2012-05-2215:55:02

mitre

web.nvd.nist.gov

atlassian

jira

confluence

fisheye

crucible

bamboo

crowd

cve-2012-2926

xml parsers

security vulnerability

remote attack

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

Confidence

High

EPSS

0.459

Percentile

97.4%

JSON

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

Affected configurations

Nvd

Node

atlassianbambooRange<3.3.4

atlassianbambooRange3.4–3.4.5

atlassianconfluenceRange<3.5.16

atlassianconfluence_serverRange4.0–4.0.7

atlassianconfluence_serverRange4.1–4.1.10

atlassiancrowdRange<2.0.9

atlassiancrowdRange2.1–2.1.2

atlassiancrowdRange2.2.0–2.2.9

atlassiancrowdRange2.3.0–2.3.7

atlassiancrowdRange2.4.0–2.4.1

atlassiancrucibleRange<2.5.8

atlassiancrucibleRange2.6–2.6.8

atlassiancrucibleRange2.7–2.7.12

atlassianfisheyeRange<2.5.8

atlassianfisheyeRange2.6–2.6.8

atlassianfisheyeRange2.7–2.7.12

atlassianjiraRange<5.0.1

VendorProductVersionCPE
atlassianbamboo*cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*
atlassianconfluence*cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*
atlassianconfluence_server*cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
atlassiancrowd*cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
atlassiancrucible*cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*
atlassianfisheye*cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*
atlassianjira*cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	bamboo	*	cpe:2.3:a:atlassian:bamboo::::::::
atlassian	confluence	*	cpe:2.3:a:atlassian:confluence::::::::
atlassian	confluence_server	*	cpe:2.3:a:atlassian:confluence_server::::::::
atlassian	crowd	*	cpe:2.3:a:atlassian:crowd::::::::
atlassian	crucible	*	cpe:2.3:a:atlassian:crucible::::::::
atlassian	fisheye	*	cpe:2.3:a:atlassian:fisheye::::::::
atlassian	jira	*	cpe:2.3:a:atlassian:jira::::::::

References

confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17

confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17

confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17

confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17

confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17

osvdb.org/81993

secunia.com/advisories/49146

www.securityfocus.com/bid/53595

exchange.xforce.ibmcloud.com/vulnerabilities/75682

exchange.xforce.ibmcloud.com/vulnerabilities/75697

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

Confidence

High

EPSS

0.459

Percentile

97.4%

JSON

Related for CVE-2012-2926