CVE-2017-18111 in Application Links
Summary
by MITRE
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/17/2023
The vulnerability identified as CVE-2017-18111 represents a critical XML External Entity (XXE) flaw within Atlassian Application Links OAuthHelper component. This security weakness affected multiple versions of the Atlassian platform, specifically targeting releases before 5.0.10, 5.1.3, and 5.2.6 respectively. The flaw resides in how the system processes OAuth requests through an XML document builder that fails to properly validate external entity references, creating a pathway for malicious actors to exploit the system's XML parsing functionality.
The technical implementation of this vulnerability stems from the OAuthHelper's improper handling of XML input during client OAuth request processing. When an application links to an Atlassian instance, the system's XML parser accepts and processes external entity declarations without adequate sanitization. This creates a vector where attackers can craft malicious XML payloads containing references to internal network resources, local files, or malicious external entities. The vulnerability manifests through the XML document builder's acceptance of external entity references, which allows for arbitrary file reads, internal network probing, and resource exhaustion attacks. The flaw specifically enables attackers to construct XML documents that reference internal system locations or files, potentially exposing sensitive data or gaining insights into the internal network structure.
The operational impact of this vulnerability extends beyond simple information disclosure to include significant availability and data integrity concerns. Attackers leveraging this XXE vulnerability can perform internal network reconnaissance by probing internal resources, potentially mapping network topology and identifying vulnerable services. The ability to read local files means that attackers could access sensitive configuration files, credentials, or application data stored on the system. More critically, the vulnerability allows for out-of-memory exceptions through malicious XML entity expansion, which can lead to denial of service conditions affecting system availability. This makes the vulnerability particularly dangerous in production environments where system uptime and data protection are critical. The attack surface includes any Atlassian application that utilizes the vulnerable Application Links component, affecting organizations using Confluence, Jira, or other Atlassian products that support OAuth authentication.
Organizations affected by this vulnerability should prioritize immediate remediation through patching to versions 5.0.10, 5.1.3, or 5.2.6 respectively, depending on their current version. The mitigation strategy should also include implementing network-level restrictions to prevent unauthorized access to internal resources and monitoring for suspicious XML processing activities. Security teams should conduct thorough vulnerability assessments to identify all instances of affected Atlassian products within their environment and ensure proper XML parsing configurations are implemented. The vulnerability aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and represents a significant risk under ATT&CK technique T1213.002 (External Remote Services) and T1071.004 (Application Layer Protocol: DNS). Organizations should also consider implementing web application firewalls to detect and block malicious XML payloads, and establish proper input validation procedures for all XML processing components to prevent similar vulnerabilities from emerging in the future.