TROYANOSYVIRUS
Back to CVEs

CVE-2019-11580

CRITICALCISA KEV
9.8

Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

CVE Details

CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published6/3/2019
Last Modified10/24/2025
Sourcekev
Honeypot Sightings0

CISA KEV

VendorAtlassian
ProductCrowd and Crowd Data Center
Vulnerability NameAtlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
KEV Date Added2021-11-03
Remediation Due Date2022-05-03
Ransomware UseKnown

Affected Products

atlassian:crowd

References

http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html(security@atlassian.com)
http://www.securityfocus.com/bid/108637(security@atlassian.com)
https://jira.atlassian.com/browse/CWD-5388(security@atlassian.com)
http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/108637(af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/CWD-5388(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11580(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.