Vulnerability
The pdkinstall development plugin is incorrectly enabled in release builds on Atlassian Crowd and Crowd Data Center. An attacker will install arbitrary plugins on Crowd or Crowd Data Center by sending authenticated and unauthenticated requests. This action permits Remote Code Execution attack on systems running vulnerable versions of Crowd and Crowd Data Center.
Affected versions
All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Mitigation / Precaution
- We recommend you to update Crowd and Crowd data center to the latest version.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
