Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-5983

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

Published

2017-04-10T15:59:00.457

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	atlassian	jira	4.2.4	Yes
Application	atlassian	jira	4.3	Yes
Application	atlassian	jira	4.3.1	Yes
Application	atlassian	jira	4.3.2	Yes
Application	atlassian	jira	4.3.3	Yes
Application	atlassian	jira	4.3.4	Yes
Application	atlassian	jira	4.4	Yes
Application	atlassian	jira	4.4.1	Yes
Application	atlassian	jira	4.4.2	Yes
Application	atlassian	jira	4.4.3	Yes
Application	atlassian	jira	4.4.4	Yes
Application	atlassian	jira	4.4.5	Yes
Application	atlassian	jira	5.0	Yes
Application	atlassian	jira	5.0.1	Yes
Application	atlassian	jira	5.0.2	Yes
Application	atlassian	jira	5.0.3	Yes
Application	atlassian	jira	5.0.4	Yes
Application	atlassian	jira	5.0.5	Yes
Application	atlassian	jira	5.0.7	Yes
Application	atlassian	jira	5.1	Yes
Application	atlassian	jira	5.1.1	Yes
Application	atlassian	jira	5.1.2	Yes
Application	atlassian	jira	5.1.3	Yes
Application	atlassian	jira	5.1.4	Yes
Application	atlassian	jira	5.1.5	Yes
Application	atlassian	jira	5.1.6	Yes
Application	atlassian	jira	5.1.7	Yes
Application	atlassian	jira	5.1.8	Yes
Application	atlassian	jira	5.2	Yes
Application	atlassian	jira	5.2.1	Yes
Application	atlassian	jira	5.2.2	Yes
Application	atlassian	jira	5.2.3	Yes
Application	atlassian	jira	5.2.4	Yes
Application	atlassian	jira	5.2.5	Yes
Application	atlassian	jira	5.2.6	Yes
Application	atlassian	jira	5.2.7	Yes
Application	atlassian	jira	5.2.8	Yes
Application	atlassian	jira	5.2.9	Yes
Application	atlassian	jira	5.2.10	Yes
Application	atlassian	jira	5.2.11	Yes
Application	atlassian	jira	6.0	Yes
Application	atlassian	jira	6.0.1	Yes
Application	atlassian	jira	6.0.2	Yes
Application	atlassian	jira	6.0.3	Yes
Application	atlassian	jira	6.0.4	Yes
Application	atlassian	jira	6.0.5	Yes
Application	atlassian	jira	6.0.7	Yes
Application	atlassian	jira	6.0.8	Yes
Application	atlassian	jira	6.1	Yes
Application	atlassian	jira	6.1.1	Yes
Application	atlassian	jira	6.1.2	Yes
Application	atlassian	jira	6.1.3	Yes
Application	atlassian	jira	6.1.4	Yes
Application	atlassian	jira	6.1.5	Yes
Application	atlassian	jira	6.1.6	Yes
Application	atlassian	jira	6.1.7	Yes
Application	atlassian	jira	6.1.8	Yes
Application	atlassian	jira	6.1.9	Yes
Application	atlassian	jira	6.2	Yes
Application	atlassian	jira	6.2.1	Yes
Application	atlassian	jira	6.2.2	Yes
Application	atlassian	jira	6.2.3	Yes
Application	atlassian	jira	6.2.4	Yes
Application	atlassian	jira	6.2.5	Yes
Application	atlassian	jira	6.2.6	Yes
Application	atlassian	jira	6.2.7	Yes

References

http://codewhitesec.blogspot.com/2017/04/amf.html Technical Description ([email protected])
http://www.securityfocus.com/bid/97379 Third Party Advisory, VDB Entry ([email protected])
https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html Vendor Advisory ([email protected])
https://jira.atlassian.com/browse/JRASERVER-64077 Vendor Advisory ([email protected])
https://www.kb.cert.org/vuls/id/307983 Third Party Advisory, US Government Resource, VDB Entry ([email protected])
http://codewhitesec.blogspot.com/2017/04/amf.html Technical Description (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/97379 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/JRASERVER-64077 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/307983 Third Party Advisory, US Government Resource, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)