Detections
Analytics

Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE

critical Nessus Network Monitor Plugin ID 701078

Synopsis

The version of Atlassian Crowd installed on the remote host is affected by an remote code execution (RCE) vulnerability.

Description

The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.

Solution

Update to Crowd version 3.4.4 or later.

See Also

https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html

Plugin Details

Severity: Critical

ID: 701078

Family: CGI

Published: 7/22/2019

Updated: 7/22/2019

Nessus ID: 125477

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:atlassian:crowd

Patch Publication Date: 5/22/2019

Vulnerability Publication Date: 5/22/2019

Reference Information

CVE: CVE-2019-11580

BID: 108637