24 matches found
CVE-2019-11580
Atlassian Crowd/Crowd Data Center are affected by CVE-2019-11580 due to the pdkinstall development plugin being incorrectly enabled in release builds. The flaw permits attackers to install arbitrary plugins via unauthenticated or authenticated requests, enabling remote code execution on vulnerabl...
CVE-2022-26136
CVE-2022-26136 is a vulnerability in multiple Atlassian products where remote, unauthenticated attackers can bypass Servlet Filters used by first and third‑party apps, potentially causing authentication bypass and XSS. Affected products and fixed ranges are provided: Atlassian Bamboo (<8.0.9, ...
CVE-2022-26137
CVE-2022-26137 concerns multiple Atlassian products (Bamboo, Bitbucket, Confluence, Jira, Jira Service Management, Crowd, Fisheye/Crucible) where an unauthenticated remote attacker can trigger additional Servlet Filters in requests/responses, causing a CORS bypass. The issue allows an attacker to...
CVE-2019-20104
CVE-2019-20104 affects the OpenID client in Atlassian Crowd. Versions before 3.6.2, and 3.7.0 before 3.7.1, are vulnerable to DoS via XML Entity Expansion. Mitigation: update to a fixed release (3.7.1 or newer) or disable the OpenID client app, as Crowd notes indicate the OpenID client has been d...
CVE-2019-15005
The CVE-2019-15005 vulnerability concerns the Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2, which is bundled with multiple Atlassian products. An unprivileged user can initiate periodic log scans and have the results emailed to a user-specified address due to ...
CVE-2017-18107
The data confirms a CSRF vulnerability in Atlassian Crowd’s Crowd Demo application prior to version 3.1.1. The issue allows remote attackers to add/modify/delete users and groups by crafting unauthorized requests, due to insufficient request validation in the web application. The Demo app is not ...
CVE-2018-20239
CVE-2018-20239 involves a cross-site scripting (XSS) flaw in the Application Links plugin’s applinkStartingUrl parameter. The vulnerability affects multiple plugin versions: Application Links before 5.0.11, 5.1.0–before 5.2.10, 5.3.0–before 5.3.6, 5.4.0–before 5.4.12, and 6.0.0–before 6.0.4. It i...
CVE-2022-43782
CVE-2022-43782 affects Atlassian Crowd. Affected: Crowd versions 3.x, 4.x before 4.4.4, and 5.x before 5.0.3. Root cause: security misconfiguration allows an attacker from an IP on the crowd application allowlist to authenticate as the crowd application and call privileged endpoints in Crowd’s RE...
CVE-2023-22521
CVE-2023-22521 concerns Atlassian Crowd Data Center and Server. The vulnerability is an authenticated remote code execution (RCE) affecting the 3.4.6 baseline, with CVSS metrics indicating high impact on confidentiality, integrity, and availability and no user interaction required. Atlassian reco...
CVE-2012-2926
CVE-2012-2926 covers multiple Atlassian products (JIRA <5.0.1; Confluence pre-3.5.16, 4.0.x <4.0.7, 4.1.x <4.1.10; FishEye/Crucible, Bamboo <3.3.4/3.4.x; Crowd <2.0.9, <2.1.2, <2.2.9, <2.3.7,
CVE-2013-3925
CVE-2013-3925 affects Atlassian Crowd prior to version 2.5.4, 2.6.x prior to 2.6.3, as well as 2.3.8 and 2.4.9. The flaw is an XML External Entity (XXE) vulnerability that enables remote attackers to read arbitrary files and cause requests to intranet servers by crafting a request to /services/2 ...
CVE-2019-20902
Summary: CVE-2019-20902 describes a vulnerability in Crowd where upgrading via XML Data Transfer can reactivate a disabled OpenLDAP user. The issue affects Crowd versions prior to 3.4.6 and 3.5.0 prior to 3.5.1; fixed in 3.4.6 and 3.5.1+ (per records). Impact/behavior: during upgrade, disabled Op...
CVE-2020-36240
The CVE-2020-36240 issue in Atlassian Crowd concerns the ResourceDownloadRewriteRule class, where versions prior to 4.0.4 and versions 4.1.0 to 4.1.1 (i.e., before 4.1.2) allow unauthenticated remote attackers to read arbitrary files inside WEB-INF and META-INF due to an incorrect path access che...
CVE-2016-6496
CVE-2016-6496 affects Atlassian Crowd LDAP entry handling. The LDAP directory connector is vulnerable to LDAP Java object injection: an attacker can cause remote code execution by sending a crafted serialized Java object in an LDAP attribute. Affected versions are all Crowd 1.4.1 to 2.8.7 (and 2....
CVE-2017-16858
The CVE-2017-16858 issue affects Atlassian Crowd’s crowd-application plugin (used by Google Apps) where versions 1.5.0–3.1.1 allow impersonation of a Crowd user in REST requests by authenticating to a directory bound to an application. In the described scenario, if Crowd is bound to directory 1 w...
CVE-2017-18108
CVE-2017-18108 affects Atlassian Crowd prior to version 2.10.2. The administration SMTP configuration resource contains a JNDI injection vulnerability that allows remote attackers with administration rights to execute arbitrary code. Impact: arbitrary code execution with admin privileges; CVSS3 b...
CVE-2017-18105
The CVE affects Atlassian Crowd: versions before 3.0.2 and in 3.1.0–3.1.1 are vulnerable due to a session fixation flaw where the login flow does not rotate the JSESSIONID. This allows remote attackers who already possess a user’s JSESSIONID to access some built-in and potentially third-party RES...
CVE-2017-18106
CVE-2017-18106 affects Atlassian Crowd versions before 2.9.1. The vulnerability stems from the session token’s identifier_hash potentially colliding with another user’s (or a user in a different directory), allowing remote attackers who can authenticate to Crowd or an application using Crowd to h...
CVE-2013-3926
Atlassian Crowd 2.6.3 is cited as vulnerable to remote command execution via unspecified vectors related to a “symmetric backdoor.” The vendor publicly stated they could not reproduce the issue as of 2013-07-04 and provided no detail or patch information; no concrete exploit details are included....
CVE-2017-18109
The CVE-2017-18109 vulnerability affects Atlassian Crowd’s CrowdId login resource before v3.0.2 and in v3.1.0 before v3.1.1, enabling remote attackers to perform phishing via an open redirect. Root cause: improper redirect handling in the login flow. Impact: open redirect could lead victims to a ...
CVE-2016-10740
CVE-2016-10740 affects Atlassian Crowd prior to 2.10.1. The issue allows remote attackers with administration rights to learn passwords of configured LDAP directories by inspecting responses from various resources. Impact is limited to those with admin privileges and knowledge of LDAP configurati...
CVE-2018-20238
CVE-2018-20238 affects Atlassian Crowd: remote attackers can authenticate using an expired user session due to insufficient session expiration. Affected versions are Crowd prior to 3.2.7 and 3.3.0 up to 3.3.4. This is described as an authentication issue in various REST resources, enabling sessio...
CVE-2017-18110
The Atlassian Crowd CVE-2017-18110 affects the administration backup restore resource and allows remote attackers to read files from the filesystem via a XXE vulnerability. Affected versions are before 3.0.2 and before 3.1.1 (specifically 3.1.0 to 3.1.1). Exploitation is described as remote, over...
CVE-2026-21569
This CVE affects Crowd Data Center and Server (Atlassian) starting from version 7.1.0, with a high-severity XXE (XML External Entity Injection) vulnerability. The issue allows an authenticated attacker to access local and remote content, with high impact to confidentiality and availability, and l...