Vulnerabilities > CVE-2019-20104 - XML Entity Expansion vulnerability in Atlassian Crowd
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://jira.atlassian.com/browse/CWD-5526
- https://jira.atlassian.com/browse/CWD-5526
- https://zeroauth.ltd/blog/2020/02/07/cve-2019-20104-atlassian-crowd-openid-client-vulnerable-to-remote-dos-via-xml-entity-expansion/
- https://zeroauth.ltd/blog/2020/02/07/cve-2019-20104-atlassian-crowd-openid-client-vulnerable-to-remote-dos-via-xml-entity-expansion/