Vulnerability Details : CVE-2017-5983
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2017-5983
- cpe:2.3:a:atlassian:jira:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:5.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:6.2.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5983
2.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-5983
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-5983
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5983
-
https://jira.atlassian.com/browse/JRASERVER-64077
[JRASERVER-64077] Multiple Vulnerabilities in JIRA Workflow Servlet - Create and track feature requests for Atlassian products.Vendor Advisory
-
https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html
JIRA Security Advisory 2017-03-09 - Atlassian DocumentationVendor Advisory
-
http://codewhitesec.blogspot.com/2017/04/amf.html
code white | Blog: AMF – Another Malicious FormatTechnical Description
-
https://www.kb.cert.org/vuls/id/307983
VU#307983 - Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities referencesThird Party Advisory;US Government Resource;VDB Entry
-
http://www.securityfocus.com/bid/97379
Atlassian JIRA CVE-2017-5983 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
Jump to