Test ID:	1.3.6.1.4.1.25623.1.0.106758
Category:	Web application abuses
Title:	Atlassian JIRA XXE / Deserialization Vulnerability
Summary:	The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0;improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read;arbitrary files, or cause a denial of service via a crafted serialized Java object.
Description:	Summary: The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. Vulnerability Insight: An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way an XML parser and deserializer was used in JIRA. Affected Software/OS: Atlassian JIRA 4.2.4 until 6.2.7. Solution: Update to version 6.3.0 or later. Please keep in mind that JIRA Server 6.4 reaches its Atlassian Support end of life date on March 17, 2017, so it's recommended to upgrade to a version of JIRA Software (7.0 or later). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2017-5983 BugTraq ID: 97379 http://www.securityfocus.com/bid/97379 CERT/CC vulnerability note: VU#307983 https://www.kb.cert.org/vuls/id/307983 http://codewhitesec.blogspot.com/2017/04/amf.html
Copyright	Copyright (C) 2017 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.