CVE-2019-11580

Name of the Vulnerable Software and Affected Versions Atlassian Crowd versions 2.1.0 through 3.0.4 Atlassian Crowd versions 3.1.0 through 3.1.5 Atlassian Crowd versions 3.2.0 through 3.2.7 Atlassian Crowd versions 3.3.0 through 3.3.4 Atlassian Crowd versions 3.4.0 through 3.4.3 Atlassian Crowd Data Center versions 2.1.0 through 3.0.4 Atlassian Crowd Data Center versions 3.1.0 through 3.1.5 Atlassian Crowd Data Center versions 3.2.0 through 3.2.7 Atlassian Crowd Data Center versions 3.3.0 through 3.3.4 Atlassian Crowd Data Center versions 3.4.0 through 3.4.3

Description The pdkinstall development plugin in Atlassian Crowd and Crowd Data Center is incorrectly enabled in release builds, allowing attackers to send unauthenticated or authenticated requests to exploit this issue and install arbitrary plugins. This permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. The vulnerability exists due to insufficient input validation.

Recommendations For Atlassian Crowd versions 2.1.0 through 3.0.4, update to version 3.0.5 or later. For Atlassian Crowd versions 3.1.0 through 3.1.5, update to version 3.1.6 or later. For Atlassian Crowd versions 3.2.0 through 3.2.7, update to version 3.2.8 or later. For Atlassian Crowd versions 3.3.0 through 3.3.4, update to version 3.3.5 or later. For Atlassian Crowd versions 3.4.0 through 3.4.3, update to version 3.4.4 or later. For Atlassian Crowd Data Center versions 2.1.0 through 3.0.4, update to version 3.0.5 or later. For Atlassian Crowd Data Center versions 3.1.0 through 3.1.5, update to version 3.1.6 or later. For Atlassian Crowd Data Center versions 3.2.0 through 3.2.7, update to version 3.2.8 or later. For Atlassian Crowd Data Center versions 3.3.0 through 3.3.4, update to version 3.3.5 or later. For Atlassian Crowd Data Center versions 3.4.0 through 3.4.3, update to version 3.4.4 or later.