Atlassian Crowd 2.6.x < 2.6.3 Information Disclosure
Medium Nessus Network Monitor Plugin ID 700021
SynopsisThe version of Atlassian Crowd installed on the remote host is affected by an information disclosure attack vector.
DescriptionThe version of Crowd installed on the remote host is version 2.6.x prior to 2.6.3 and is affected by a XML External Entity (XXE) vulnerability. This vulnerability could allow a remote, unauthenticated attacker to retrieve arbitrary files from the remote host by sending a specially crafted HTTP request with a Document Type Definition (DTD) header containing an XML external entity along with an entity reference.
SolutionUpdate to Crowd version 2.6.3 or later.