CVE-2017-18111
HIGHAtlassian Application Links <5.0.10, 5.1.0-5.1.3, 5.2.0-5.2.6 - XML External Entity Injection via OAuthHelper
Title source: llmDescription
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://ecosystem.atlassian.net/browse/APL-1338
Scores
CVSS v3
8.7
EPSS
0.0014
EPSS Percentile
33.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H
Details
CWE
CWE-611
Status
published
Products (1)
atlassian/application_links
< 5.0.10
Published
Mar 29, 2019
Tracked Since
Feb 18, 2026