CVE-2019-20104

HIGH

Atlassian Crowd < 3.2.11 - XML Entity Expansion

Title source: rule

Description

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.

References (2)

[Vendor Advisory] https://jira.atlassian.com/browse/CWD-5526

[Exploit, Technical Description] https://zeroauth.ltd/blog/2020/02/07/cve-2019-20104-atlassian-crowd-openid-client-vulnerable-to-remote-dos-via-xml-entity-expansion/

Scores

CVSS v3 7.5

EPSS 0.0243

EPSS Percentile 85.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-776

Status published

Products (1)

atlassian/crowd < 3.2.11

Published Feb 06, 2020

Tracked Since Feb 18, 2026