1. CVE-Search
  2. CVE-2019-11580
ID CVE-2019-11580
Summary Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
References
Vulnerable Configurations
  • cpe:2.3:a:atlassian:crowd:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.3.1:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.3.1:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.3.2:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.3.2:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.3.3:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.3.3:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.1.1:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.1.1:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.1.3:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.1.3:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.1.4:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.1.4:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.1.5:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.1.5:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.1:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.1:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.2:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.2:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.3:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.3:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.5:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.5:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.6:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.6:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.9:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.9:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:2.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:2.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.0.1:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.0.1:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.0.2:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.0.2:-:*:*:*:*:*:*
  • cpe:2.3:a:atlassian:crowd:3.0.3:-:*:*:*:*:*:*
    cpe:2.3:a:atlassian:crowd:3.0.3:-:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 19-04-2022 - 15:36)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
bid 108637
misc https://jira.atlassian.com/browse/CWD-5388
saint via4
description Atlassian Crowd pdkinstall arbitrary plugin installation
id web_prog_jsp_crowd
title atlassian_crowd_pdkinstall
type remote
Last major update 19-04-2022 - 15:36
Published 03-06-2019 - 14:29
Last modified 19-04-2022 - 15:36
Back to Top