Description
The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106661
Issue Tracking, Vendor Advisory x_refsource_confirm
https://ecosystem.atlassian.net/browse/UPM-5964
Scores
CVSS v3
6.5
EPSS
0.0077
EPSS Percentile
73.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-611
Status
published
Products (1)
atlassian/universal_plugin_manager
< 2.22.14
Published
Jan 18, 2019
Tracked Since
Feb 18, 2026