The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 6.0.5. It is, therefore, affected by a issue in the TM Software Tempo Plugin which does not properly restrict the capabilities of 3rd party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of Atlassian JIRA hosted on the remote web server is prior to 5.0.1. It is, therefore, potentially affected by an XML parsing flaw due to improper restrictions on the capabilities of third-party parsers. A remote, authenticated attacker can exploit this to perform a denial of service attack against JIRA.

The Tempo and Gliffy plugins for JIRA are also affected by this vulnerability; however, Nessus did not confirm that these plugins are installed. If you are using these plugins with any version of JIRA, you should upgrade or disable them.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
113821	Atlassian Jira 7.x < 7.0.3 Software Tempo Plugin Xml Denial Of Service	Web App Scanning	Component Vulnerability	medium
113820	Atlassian Jira 6.5.x < 6.5.0.2 Software Tempo Plugin Xml Denial Of Service	Web App Scanning	Component Vulnerability	medium
113819	Atlassian Jira < 6.4.3.1 / 6.5.x < 6.5.0.2 / 7.x < 7.0.3 Software Tempo Plugin Xml Denial Of Service	Web App Scanning	Component Vulnerability	medium
59329	Atlassian JIRA < 5.0.1 XML Parsing DoS	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2012-2927

medium

Tenable Plugins

medium

medium

medium

medium