Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-5983Deserialization of Untrusted Data in Atlassian Jira

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
8.4%
top 7.67%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Atlassian Jira
Timeline
PublishedApr 10
Latest updateMay 17

Description

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDatlassian/jira66 versions+65

🔴Vulnerability Details

2
GHSA
GHSA-rr9q-89cr-8fcp: The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 62022-05-17
CVEList
CVE-2017-5983: The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 62017-04-10

💥Exploits & PoCs

1
Nuclei
JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
CVE-2017-5983 — Deserialization of Untrusted Data | cvebase