CVE-2019-20104
First published: Thu Feb 06 2020(Updated: )
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Crowd | <3.2.11 | |
| Atlassian Crowd | >=3.3.0<3.3.8 | |
| Atlassian Crowd | >=3.4.0<3.4.7 | |
| Atlassian Crowd | >=3.5.0<3.5.2 | |
| Atlassian Crowd | >=3.6.0<3.6.2 | |
| Atlassian Crowd | >=3.6.3<3.7.1 | |
| Atlassian Crowd | >=3.7.2<4.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2019-20104.
What is the severity of CVE-2019-20104?
The severity of CVE-2019-20104 is high with a severity value of 7.5.
How does CVE-2019-20104 affect the Atlassian Crowd application?
CVE-2019-20104 affects Atlassian Crowd before version 3.6.2 and from version 3.7.0 before 3.7.1.
What is the impact of CVE-2019-20104?
The impact of CVE-2019-20104 is a Denial of Service (DoS) attack through an XML Entity Expansion vulnerability.
How can I fix CVE-2019-20104 in Atlassian Crowd?
To fix CVE-2019-20104, it is recommended to upgrade Atlassian Crowd to version 3.6.2 or apply version 3.7.1 or later.
- collector/nvd-index
- vendor/atlassian
- canonical/atlassian crowd
- version/atlassian crowd/3.3.0
- version/atlassian crowd/3.4.0
- version/atlassian crowd/3.5.0
- version/atlassian crowd/3.6.0
- version/atlassian crowd/3.6.3
- version/atlassian crowd/3.7.2