CVE-2019-20104
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
La aplicación de cliente OpenID en Atlassian Crowd antes de la versión 3.6.2 y desde la versión 3.7.0 anteriores a 3.7.1, permite a atacantes remotos llevar a cabo un ataque de Denegación de Servicio por medio de una vulnerabilidad de tipo XML Entity Expansion.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-12-30 CVE Reserved
- 2020-02-06 CVE Published
- 2023-10-23 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://zeroauth.ltd/blog/2020/02/07/cve-2019-20104-atlassian-crowd-openid-client-vulnerable-to-remote-dos-via-xml-entity-expansion | 2024-09-16 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://jira.atlassian.com/browse/CWD-5526 | 2022-01-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | < 3.2.11 Search vendor "Atlassian" for product "Crowd" and version " < 3.2.11" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | >= 3.3.0 < 3.3.8 Search vendor "Atlassian" for product "Crowd" and version " >= 3.3.0 < 3.3.8" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | >= 3.4.0 < 3.4.7 Search vendor "Atlassian" for product "Crowd" and version " >= 3.4.0 < 3.4.7" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | >= 3.5.0 < 3.5.2 Search vendor "Atlassian" for product "Crowd" and version " >= 3.5.0 < 3.5.2" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | >= 3.6.0 < 3.6.2 Search vendor "Atlassian" for product "Crowd" and version " >= 3.6.0 < 3.6.2" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | >= 3.6.3 < 3.7.1 Search vendor "Atlassian" for product "Crowd" and version " >= 3.6.3 < 3.7.1" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crowd Search vendor "Atlassian" for product "Crowd" | >= 3.7.2 < 4.0.0 Search vendor "Atlassian" for product "Crowd" and version " >= 3.7.2 < 4.0.0" | - |
Affected
| ||||||