What is the severity of CVE-2019-11580?

CVE-2019-11580 is classified as a critical vulnerability due to its potential for remote code execution and exploitation.

How do I fix CVE-2019-11580?

To fix CVE-2019-11580, update to the latest patched version of Atlassian Crowd or Crowd Data Center, specifically versions beyond the affected ranges.

What are the potential impacts of CVE-2019-11580?

Exploitation of CVE-2019-11580 may allow attackers to install arbitrary plugins, leading to unauthorized access and potential system compromise.

Which versions of Atlassian Crowd are affected by CVE-2019-11580?

Affected versions of Atlassian Crowd include 2.1.0 to 3.0.5, 3.1.0 to 3.1.6, 3.2.0 to 3.2.8, 3.3.0 to 3.3.5, and 3.4.0 to 3.4.4.

Is CVE-2019-11580 applicable to Crowd Data Center?

Yes, CVE-2019-11580 impacts both Atlassian Crowd and Crowd Data Center, allowing similar vulnerabilities in both environments.

Vulnerability/
CVE-2019-11580

Exploited

critical

9.8

3/6/2019

14/3/2025

CVE-2019-11580: Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability

First published: Mon Jun 03 2019(Updated: )

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Credit: security@atlassian.com security@atlassian.com

Affected Software	Affected Version	How to fix
Atlassian Crowd	>=2.1.0<3.0.5
Atlassian Crowd	>=3.1.0<3.1.6
Atlassian Crowd	>=3.2.0<3.2.8
Atlassian Crowd	>=3.3.0<3.3.5
Atlassian Crowd	>=3.4.0<3.4.4
Atlassian Crowd

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-11580?
CVE-2019-11580 is classified as a critical vulnerability due to its potential for remote code execution and exploitation.
How do I fix CVE-2019-11580?
To fix CVE-2019-11580, update to the latest patched version of Atlassian Crowd or Crowd Data Center, specifically versions beyond the affected ranges.
What are the potential impacts of CVE-2019-11580?
Exploitation of CVE-2019-11580 may allow attackers to install arbitrary plugins, leading to unauthorized access and potential system compromise.
Which versions of Atlassian Crowd are affected by CVE-2019-11580?
Affected versions of Atlassian Crowd include 2.1.0 to 3.0.5, 3.1.0 to 3.1.6, 3.2.0 to 3.2.8, 3.3.0 to 3.3.5, and 3.4.0 to 3.4.4.
Is CVE-2019-11580 applicable to Crowd Data Center?
Yes, CVE-2019-11580 impacts both Atlassian Crowd and Crowd Data Center, allowing similar vulnerabilities in both environments.

collector/nvd-index
agent/type
agent/description
agent/title
agent/severity
agent/references
agent/author
agent/softwarecombine
agent/first-publish-date
agent/source
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/tags
agent/event
collector/nvd-cve
exploited/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup-request
vendor/atlassian
canonical/atlassian crowd
version/atlassian crowd/2.1.0
version/atlassian crowd/3.1.0
version/atlassian crowd/3.2.0
version/atlassian crowd/3.3.0
version/atlassian crowd/3.4.0