Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

Updates are available. Please see the references for more information.

• http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17
• http://www.atlassian.com/software/jira/
• http://www.securityfocus.com/bid/53595
• https://jira.atlassian.com/browse/JRA-27719

---

Updated on 2015-03-25