CVE-2017-5983

CRITICAL NUCLEI

Atlassian Jira - Insecure Deserialization

Title source: rule

Description

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

Nuclei Templates (1)

JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)

CRITICALVERIFIEDby us3r777,Synacktiv

Shodan:

http.title:"system dashboard - jira" || cpe:"cpe:2.3:a:atlassian:jira" || http.component:"atlassian confluence" || http.component:"atlassian jira"

References (5)

[Technical Description] http://codewhitesec.blogspot.com/2017/04/amf.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97379

[Vendor Advisory] https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html

[Vendor Advisory] https://jira.atlassian.com/browse/JRASERVER-64077

[Third Party Advisory, US Government Resource, VDB Entry] https://www.kb.cert.org/vuls/id/307983

Scores

CVSS v3 9.8

EPSS 0.0838

EPSS Percentile 92.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (50)

atlassian/jira

... and 35 more

Timeline

Published Apr 10, 2017

Tracked Since Feb 18, 2026