CVE-2019-11580

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send...

Basic Information

CVE State: PUBLISHED
Reserved Date: April 29, 2019
Published Date: June 03, 2019
Last Updated: October 21, 2025
Vendor: Atlassian
Product: Crowd
Description: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Tags

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Source	Added Date
CISA	2021-11-03 00:00:00 UTC
CISA	2021-11-03 00:00:00 UTC

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce.rb	2025-04-28 15:02:17 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-11580.yaml	2025-04-25 00:00:00 UTC

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-11580

Type: github • Created: 2020-03-06 17:09:26 UTC • Stars: 6

A CVE-2019-11580 shell

Type: github • Created: 2019-07-17 07:54:38 UTC • Stars: 106

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE