cbcvebase.
CVE-2019-11580
published 2019-06-03

CVE-2019-11580: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
95.36%
99.9th percentile
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Affected

15 ranges
VendorProductVersion rangeFixed in
atlassiancrowd>= 2.1.0 < unspecifiedunspecified
atlassiancrowd>= 2.1.0 < 3.0.53.0.5
atlassiancrowd>= 3.1.0 < unspecifiedunspecified
atlassiancrowd>= 3.1.0 < 3.1.63.1.6
atlassiancrowd>= 3.2.0 < unspecifiedunspecified
atlassiancrowd>= 3.2.0 < 3.2.83.2.8
atlassiancrowd>= 3.3.0 < unspecifiedunspecified
atlassiancrowd>= 3.3.0 < 3.3.53.3.5
atlassiancrowd>= 3.4.0 < unspecifiedunspecified
atlassiancrowd>= 3.4.0 < 3.4.43.4.4
atlassiancrowd>= unspecified < 3.0.53.0.5
atlassiancrowd>= unspecified < 3.1.63.1.6
atlassiancrowd>= unspecified < 3.2.83.2.8
atlassiancrowd>= unspecified < 3.3.53.3.5
atlassiancrowd>= unspecified < 3.4.43.4.4

Detection & IOCsextracted from sources · hover to see the quote

path/crowd/admin/uploadplugin.action
filenamerce.jar
otherpdkinstall
  • Monitor for unauthenticated or authenticated HTTP POST requests to the Atlassian Crowd endpoint /crowd/admin/uploadplugin.action, particularly with multipart/mixed Content-Type headers, as this is the exploitation vector for CVE-2019-11580.
  • Hunt for JAR file uploads to Atlassian Crowd instances, especially files named rce.jar, as threat actors have been observed uploading malicious plugin payloads with this filename during exploitation of CVE-2019-11580.
  • Exploitation of CVE-2019-11580 allows arbitrary plugin installation without authentication; alert on any new plugin installation events in Atlassian Crowd audit logs, especially from unexpected source IPs.
  • ·The vulnerable component is the pdkinstall development plugin, which was incorrectly left enabled in production/release builds of Atlassian Crowd and Crowd Data Center. Verify that this plugin is disabled in any deployed instance.
  • ·If upgrading is not immediately feasible, Atlassian provided mitigation steps and a bash script to automate mitigation on Linux systems; apply these as an interim measure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.