製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Atlassian 製品における任意のファイルを読まれる脆弱性

Title	複数の Atlassian 製品における任意のファイルを読まれる脆弱性
Summary	Atlassian JIRA、Confluence、FishEye、Crucible、Bamboo、および Crowd は、サードパーティ製の XML パーサの機能を適切に制限しないため、任意のファイルを読まれる、またはサービス運用妨害 (リソース消費) 状態となる脆弱性が存在します。
Possible impacts	第三者により、任意のファイルを読まれる、またはサービス運用妨害 (リソース消費) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 22, 2012, midnight
Registration Date	May 23, 2012, 4:23 p.m.
Last Update	May 23, 2012, 4:23 p.m.

CVSS2.0 : 警告
Score	6.4
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:P

Affected System

Atlassian

Bamboo 3.3.4 未満

Bamboo 3.4.5 未満の 3.4.x

Confluence 3.5.16 未満

Confluence 4.0.7 未満の 4.0

Confluence 4.1.10 未満の 4.1

Crowd 2.0.9 未満

Crowd 2.1.2 未満の 2.1

Crowd 2.2.9 未満の 2.2

Crowd 2.3.7 未満の 2.3

Crowd 2.4.1 未満の 2.4

Crucible 2.5.8 未満

Crucible 2.6.8 未満の 2.6

Crucible 2.7.12 未満の 2.7

FishEye 2.5.8 未満

FishEye 2.6.8 未満の 2.6

FishEye 2.7.12 未満の 2.7

JIRA 5.0.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-2926	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2926
National Vulnerability Database (NVD)
2	CVE-2012-2926	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2926

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Atlassian
1	Bamboo Security Advisory 2012-05-17	http://confluence.atlassian.com/display/BAMBOO40/Bamboo+Security+Advisory+2012-05-17
2	Confluence Security Advisory 2012-05-17	http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17
3	Crowd Security Advisory 2012-05-17	http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17
4	FishEye and Crucible Security Advisory 2012-05-17	http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17
5	JIRA Security Advisory 2012-05-17	http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17

Change Log

No	Changed Details	Date of change
0	[2012年05月23日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-2926

Summary	Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
Publication Date	May 23, 2012, 12:55 a.m.
Registration Date	Jan. 28, 2021, 2:59 p.m.
Last Update	Nov. 21, 2024, 10:39 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:atlassian:fisheye::::::::	2.6			2.6.8
cpe:2.3:a:atlassian:fisheye::::::::				2.5.8
cpe:2.3:a:atlassian:confluence::::::::				3.5.16
cpe:2.3:a:atlassian:jira::::::::				5.0.1
cpe:2.3:a:atlassian:crucible::::::::	2.7			2.7.12
cpe:2.3:a:atlassian:crowd::::::::	2.1			2.1.2
cpe:2.3:a:atlassian:crowd::::::::	2.3.0			2.3.7
cpe:2.3:a:atlassian:crowd::::::::				2.0.9
cpe:2.3:a:atlassian:crowd::::::::	2.4.0			2.4.1
cpe:2.3:a:atlassian:crowd::::::::	2.2.0			2.2.9
cpe:2.3:a:atlassian:confluence_server::::::::	4.0			4.0.7
cpe:2.3:a:atlassian:confluence_server::::::::	4.1			4.1.10
cpe:2.3:a:atlassian:crucible::::::::				2.5.8
cpe:2.3:a:atlassian:fisheye::::::::	2.7			2.7.12
cpe:2.3:a:atlassian:crucible::::::::	2.6			2.6.8
cpe:2.3:a:atlassian:bamboo::::::::				3.3.4
cpe:2.3:a:atlassian:bamboo::::::::	3.4			3.4.5

Related information, measures and tools

No	URL	タグ
1	http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17	Patch Vendor Advisory
2	http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17	Patch Vendor Advisory
3	http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17	Patch Vendor Advisory
4	http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17	Patch Vendor Advisory
5	http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17	Patch Vendor Advisory
6	http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17	Patch Vendor Advisory
7	http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17	Patch Vendor Advisory
8	http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17	Patch Vendor Advisory
9	http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17	Patch Vendor Advisory
10	http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17	Patch Vendor Advisory
11	http://osvdb.org/81993	Broken Link
12	http://osvdb.org/81993	Broken Link
13	http://secunia.com/advisories/49146	Not Applicable
14	http://secunia.com/advisories/49146	Not Applicable
15	http://www.securityfocus.com/bid/53595	Third Party Advisory VDB Entry
16	http://www.securityfocus.com/bid/53595	Third Party Advisory VDB Entry
17	https://exchange.xforce.ibmcloud.com/vulnerabilities/75682	Third Party Advisory VDB Entry
18	https://exchange.xforce.ibmcloud.com/vulnerabilities/75682	Third Party Advisory VDB Entry
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/75697	Third Party Advisory VDB Entry
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/75697	Third Party Advisory VDB Entry

Common Vulnerabilities List