CVE-2019-20104: 
Atlassian Crowd vulnerability analysis and mitigation

The vulnerability CVE-2019-20104 affects the OpenID client application in Atlassian Crowd versions before 3.6.2 and from version 3.7.0 before 3.7.1. This security flaw allows remote attackers to perform Denial of Service (DoS) attacks through an XML Entity Expansion vulnerability. The issue was discovered and reported in January 2020, affecting the OpenID client application which is a testing app bundled with the standard Crowd distribution (Atlassian Jira).

The vulnerability exists in the OpenID client application, which runs in the same Tomcat container as the Crowd and OpenID Server. The security flaw specifically relates to XML Entity Expansion, which could be exploited to cause denial of service conditions. While the OpenID client application was deployed by default prior to Crowd Version 3.6.2, it's important to note that this is a testing application used as a starting point for developing OpenID-enabled Java applications (Atlassian Jira).

The primary impact of this vulnerability is the potential for remote attackers to execute Denial of Service attacks against affected systems. The vulnerability affects the OpenID client application, which although bundled with Crowd, is not required for Crowd or OpenID server to function correctly (Atlassian Jira).

Atlassian addressed this vulnerability by disabling the OpenID client application by default in Crowd version 3.6.2 and later releases. For users running older versions who cannot immediately update, Atlassian provides a manual procedure to disable the Crowd OpenID client application. The issue was fixed in versions 3.6.2, 3.7.1, and 4.0.0 (Atlassian Jira).