Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
4595d6d0b7aa1bdd0068d116bc6f12f8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This email refers to the advisory found at
https://confluence.atlassian.com/x/3ADVOQ .
CVE ID:
* CVE-2019-11580.
Product: Crowd and Crowd Data Center.
Affected Crowd and Crowd Data Center product versions:
2.1.0 <= version < 3.0.5
3.1.0 <= version < 3.1.6
3.2.0 <= version < 3.2.8
3.3.0 <= version < 3.3.5
3.4.0 <= version < 3.4.4
Fixed Crowd and Crowd Data Center product versions:
* Crowd and Crowd Data Center 3.0.5 have been released with a fix for this
issue.
* for 3.1.x, Crowd and Crowd Data Center 3.1.6 have been released with a fix for
this issue.
* for 3.2.x, Crowd and Crowd Data Center 3.2.8 have been released with a fix for
this issue.
* for 3.3.x, Crowd and Crowd Data Center 3.3.5 have been released with a fix for
this issue.
* for 3.4.x, Crowd and Crowd Data Center 3.4.4 have been released with a fix for
this issue.
Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed
version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for
3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from
version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0
before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Customers who have upgraded Crowd and Crowd Data Center to version 3.0.5 or
3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected.
Customers who have downloaded and installed Crowd and/or Crowd Data Center
>= 2.1.0 but less than 3.0.5 or who have downloaded and installed Crowd and
Crowd Data Center >= 3.1.0 but less than 3.1.6 (the fixed version for 3.1.x)
or who have downloaded and installed Crowd and Crowd Data Center >= 3.2.0
but less than 3.2.8 (the fixed version for 3.2.x) or who have downloaded and
installed Crowd and Crowd Data Center >= 3.3.0 but less than 3.3.5
(the fixed version for 3.3.x) or who have downloaded and installed Crowd and
Crowd Data Center >= 3.4.0 but less than 3.4.4 (the fixed version for 3.4.x)
please upgrade your Crowd and Crowd Data Center installations immediately to
fix this vulnerability.
pdkinstall development plugin incorrectly enabled - CVE-2019-11580
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description:
Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly
enabled in release builds. Attackers who can send unauthenticated or
authenticated requests to a Crowd or Crowd Data Center instance can exploit this
vulnerability to install arbitrary plugins, which permits remote code execution
on systems running a vulnerable version of Crowd or Crowd Data Center.
Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5
(the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed
version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for
3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from
version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this
vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/CWD-5388 .
Fix:
To address this issue, we've released the following versions containing a fix:
* Crowd and Crowd Data Center version 3.0.5
* Crowd and Crowd Data Center version 3.1.6
* Crowd and Crowd Data Center version 3.2.8
* Crowd and Crowd Data Center version 3.3.5
* Crowd and Crowd Data Center version 3.4.4
Remediation:
Atlassian recommends customers running a version of Crowd below version 3.3.0
upgrade to version 3.2.8 to avoid https://jira.atlassian.com/browse/CWD-5352,
for customers running a version above or equal to 3.3.0 Atlassian recommends
to upgrade to the latest version.
The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.
If you are running Crowd and Crowd Data Center 3.1.x and cannot upgrade to
3.4.4, upgrade to version 3.1.6.
If you are running Crowd and Crowd Data Center 3.2.x and cannot upgrade to
3.4.4, upgrade to version 3.2.8.
If you are running Crowd and Crowd Data Center 3.3.x and cannot upgrade to
3.4.4, upgrade to version 3.3.5.
For a full description of the latest version of Crowd and Crowd Data Center,
see
the release notes found at
https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can
download the latest version of Crowd and Crowd Data Center from the download
centre found at https://www.atlassian.com/software/crowd/download.
Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlzrEM0XHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCtOQ//Vt54hP/5pUrsEuwSG9KWh334
7ZJvUk14Hp1ZvbD/vsBq7v9j781u3iDGvCg2ADEMqqY9bUqikcRDncbeMKXrDnjS
9pdoGpCUcnfDfbADVGQtL9GTfSsH446JPUDZtLl4sMX0ruZ+wVzfMsWP14yM58II
6AWpG1mFP8YL56Nk/tCb8r08vOl1bPtJj4jj+u9q+nIOMRj1an3UDVprJZb0wUjp
oNkxbR4Z8bFKxIK12zKmyXDK2Lu9fzB5R9wBAVsHftE8LTYXyP0i0xW3HtFK1TmS
cbHYGuaJJuiNl2QEkTZLwJxE7LWwelrDKZlvUey+EVK4auIOK2uXjzJqqEw57Q3d
Ti8jhSQvpHXaFhGHU5bX4G1fQHiGAijnsmqeGzre+cTkckKidokPQ2f0+ULRVods
Y1RgdCae3SYyATqMn4m0/h78HZy0pSV+lIFbAxxXVnelo360R1cSv/5Y2gnzxL8H
VolsmNkhcLdYJmwtDXL9NQCD3fwi8ZWxbZzhSa8Q86H6ZoBmauCYXCu6EwBDbIDN
F94RSXXlsvMlIlQtu602SgEfKdaCWwPLATtgKRZdRD3btMq3RFtKbZOKkTM+OoFT
n1LIoKzeHzQkpbf7qoJHk7yLWuvXcUDGYIlY2iV7+tGMMvxtmgK8j/eQVYb88xzc
0etO5CUDmAFgBbwLOZg=
=k3M1
-----END PGP SIGNATURE-----