Back to KEVs

CVE-2019-11580

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send...

Basic Information

CVE State
PUBLISHED
Reserved Date
April 29, 2019
Published Date
June 03, 2019
Last Updated
February 07, 2025
Vendor
Atlassian
Product
Crowd
Description
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

CVSS Scores

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2020-03-06 17:09:26 UTC) Source

References

https://jira.atlassian.com/browse/CWD-5388 http://www.securityfocus.com/bid/108637 http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce.rb 2025-04-29 11:01:20 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-11580.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

atlassian_crowd_pdkinstall_plugin_upload_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-11580

shelld3v/CVE-2019-11580

Type: github • Created: 2020-03-06 17:09:26 UTC • Stars: 6

A CVE-2019-11580 shell

jas502n/CVE-2019-11580

Type: github • Created: 2019-07-17 07:54:38 UTC • Stars: 106

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE