CVE-2012-2926
Last modified
CVE-2012-2926 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.. EPSS estimates a 66.58% chance of exploitation in the next 30 days.
Description
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Bamboo | < 3.3.4 |
| Atlassian | Bamboo | >= 3.4, < 3.4.5 |
| Atlassian | Confluence | < 3.5.16 |
| Atlassian | Confluence Server | >= 4.0, < 4.0.7 |
| Atlassian | Confluence Server | >= 4.1, < 4.1.10 |
| Atlassian | Crowd | < 2.0.9 |
| Atlassian | Crowd | >= 2.1, < 2.1.2 |
| Atlassian | Crowd | >= 2.2.0, < 2.2.9 |
| Atlassian | Crowd | >= 2.3.0, < 2.3.7 |
| Atlassian | Crowd | >= 2.4.0, < 2.4.1 |
| Atlassian | Crucible | < 2.5.8 |
| Atlassian | Crucible | >= 2.6, < 2.6.8 |
| Atlassian | Crucible | >= 2.7, < 2.7.12 |
| Atlassian | Fisheye | < 2.5.8 |
| Atlassian | Fisheye | >= 2.6, < 2.6.8 |
| Atlassian | Fisheye | >= 2.7, < 2.7.12 |
| Atlassian | Jira | < 5.0.1 |
References
- http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://osvdb.org/81993Broken Link
- http://secunia.com/advisories/49146Not Applicable
- http://www.securityfocus.com/bid/53595Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75682Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75697Third Party Advisory, VDB Entry
- http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17Patch, Vendor Advisory
- http://osvdb.org/81993Broken Link
- http://secunia.com/advisories/49146Not Applicable
- http://www.securityfocus.com/bid/53595Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75682Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75697Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2012-2926?
How severe is CVE-2012-2926?
How do I fix CVE-2012-2926?
Are you affected by CVE-2012-2926?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST