CyberSec.Space Logo
Back to CVE Browser

CVE-2012-2926

CRITICAL
9.1
CVSS Severity Score
EPSS Score0.0680%
EPSS Percentile8.44th
PublishedMay 22, 2012
Last ModifiedApr 29, 2026

Vulnerability Description

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Bamboo

< 3.3.4
πŸ“¦
Atlassian

Bamboo

>= 3.4 and < 3.4.5
πŸ“¦
Atlassian

Confluence

< 3.5.16
πŸ“¦
Atlassian

Confluence Server

>= 4.0 and < 4.0.7
πŸ“¦
Atlassian

Confluence Server

>= 4.1 and < 4.1.10
πŸ“¦
Atlassian

Crowd

< 2.0.9
πŸ“¦
Atlassian

Crowd

>= 2.1 and < 2.1.2
πŸ“¦
Atlassian

Crowd

>= 2.2.0 and < 2.2.9
πŸ“¦
Atlassian

Crowd

>= 2.3.0 and < 2.3.7
πŸ“¦
Atlassian

Crowd

>= 2.4.0 and < 2.4.1
πŸ“¦
Atlassian

Crucible

< 2.5.8
πŸ“¦
Atlassian

Crucible

>= 2.6 and < 2.6.8
πŸ“¦
Atlassian

Crucible

>= 2.7 and < 2.7.12
πŸ“¦
Atlassian

Fisheye

< 2.5.8
πŸ“¦
Atlassian

Fisheye

>= 2.6 and < 2.6.8
πŸ“¦
Atlassian

Fisheye

>= 2.7 and < 2.7.12
πŸ“¦
Atlassian

Jira

< 5.0.1

References & Advisories

πŸ”— http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17
πŸ”— http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17
πŸ”— http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17
πŸ”— http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17
πŸ”— http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17
πŸ”— http://osvdb.org/81993
πŸ”— http://secunia.com/advisories/49146
πŸ”— http://www.securityfocus.com/bid/53595

Related Vulnerabilities

CVE-2015-83609.8

An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Jav...

CVE-2014-97579.8

The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XM...

CVE-2021-378439.8

The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is k...

CVE-2016-52299.8

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allow...