XXE in the add-on JAR upload resource - CVE-2018-20233

Description

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.

Environment

None

Testing Notes

Add notes...

Security Policy

None

Status

Assignee

Unassigned

Reporter

SecurityB

QA Dev

None

Needs Doc

None

Team

None

External issue ID

None

External issue ID

None

Peer Reviewer

None

Mgr Approver

None

CC

None

Product

None

Payment Model

None

Plugin Key

None

App Key

None

DC app ready for review?

None

Fix versions

Priority

Major
Configure