Crowd Security Advisory 2019-05-22

original site = https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html

Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 2.1.0 of Crowd and Crowd Data Center. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. 

Customers who have upgraded Crowd or Crowd Data Center to version 3.0.5 or 3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected.

Customers who are currently running:

• Crowd or Crowd Data Center from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x)
• Crowd or Crowd Data Center from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x)
• Crowd or Crowd Data Center from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x)
• Crowd or Crowd Data Center from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x)
• Crowd or Crowd Data Center from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x)

Please upgrade your Crowd or Crowd Data Center installations immediately to fix this vulnerability.

pdkinstall development plugin incorrectly enabled (CVE-2019-11580)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. 

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. 

This issue can be tracked here:  CWD-5388 - Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580CLOSED

Fix

We have taken the following steps to address this issue:

• Released Crowd and Crowd Data Center version 3.4.4 that contains a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download
• Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 that contain a fix for this issue and can downloaded from https://www.atlassian.com/software/crowd/download-archive

What You Need to Do

Atlassian recommends customers running a version of Crowd below version 3.3.0 upgrade to version 3.2.8 to avoid  CWD-5352 IN PROGRESS , for customers running a version above or equal to 3.3.0 Atlassian recommends to upgrade to the latest version. For a full description of the latest version of Crowd, see the release notes. You can download the latest version of Crowd from the download centre.