// For flags

CVE-2019-11580

Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Atlassian Crowd and Crowd Data Center tenía el complemento de desarrollo pdkinstall habilitado incorrectamente en las versiones de lanzamiento. Los atacantes que pueden enviar solicitudes no Identificadas o identificadas a una instancia de Crowd o Crowd Data Center pueden aprovechar esta vulnerabilidad para instalar complementos arbitrarios, que permiten la ejecución remota de código en sistemas que ejecutan una versión vulnerable de Crowd o Crowd Data Center. Todas las versiones de Crowd desde la versión 2.1.0 antes de 3.0.5 (la versión fija para 3.0.x), desde la versión 3.1.0 antes de 3.1.6 (la versión fija para 3.1.x), desde la versión 3.2.0 antes de 3.2. 8 (la versión fija para 3.2.x), desde la versión 3.3.0 antes de 3.3.5 (la versión fija para 3.3.x), y desde la versión 3.4.0 antes de 3.4.4 (la versión fija para 3.4.x) son afectados por esta vulnerabilidad.

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-29 CVE Reserved
  • 2019-05-27 CVE Published
  • 2019-07-18 First Exploit
  • 2021-11-03 Exploited in Wild
  • 2022-05-03 KEV Due Date
  • 2024-09-16 CVE Updated
  • 2024-10-24 EPSS Updated
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Atlassian
Search vendor "Atlassian"
 Crowd
Search vendor "Atlassian" for product "Crowd"
 >= 2.1.0 < 3.0.5
Search vendor "Atlassian" for product "Crowd" and version " >= 2.1.0 < 3.0.5"
-
Affected
Atlassian
Search vendor "Atlassian"
 Crowd
Search vendor "Atlassian" for product "Crowd"
 >= 3.1.0 < 3.1.6
Search vendor "Atlassian" for product "Crowd" and version " >= 3.1.0 < 3.1.6"
-
Affected
Atlassian
Search vendor "Atlassian"
 Crowd
Search vendor "Atlassian" for product "Crowd"
 >= 3.2.0 < 3.2.8
Search vendor "Atlassian" for product "Crowd" and version " >= 3.2.0 < 3.2.8"
-
Affected
Atlassian
Search vendor "Atlassian"
 Crowd
Search vendor "Atlassian" for product "Crowd"
 >= 3.3.0 < 3.3.5
Search vendor "Atlassian" for product "Crowd" and version " >= 3.3.0 < 3.3.5"
-
Affected
Atlassian
Search vendor "Atlassian"
 Crowd
Search vendor "Atlassian" for product "Crowd"
 >= 3.4.0 < 3.4.4
Search vendor "Atlassian" for product "Crowd" and version " >= 3.4.0 < 3.4.4"
-
Affected