CVE-2018-20233

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
atlassianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
atlassianuniversal_plugin_manager
𝑥
< 2.22.14
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/106661
https://ecosystem.atlassian.net/browse/UPM-5964
http://www.securityfocus.com/bid/106661
https://ecosystem.atlassian.net/browse/UPM-5964