CVE-2019-11580

CVE Database · CVE-2019-11580

CVE-2019-11580

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

95.36%

Published

Jun 3, 2019

Modified

Oct 24, 2025

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2022-05-03

Apply updates per vendor instructions.

Public PoC / Exploit (4)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCjas502n/CVE-2019-11580★105 GitHub PoCshelld3v/CVE-2019-11580★6

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products (5)

atlassian · crowd (up to 3.0.5)vulnerable

atlassian · crowd (up to 3.1.6)vulnerable

atlassian · crowd (up to 3.2.8)vulnerable

atlassian · crowd (up to 3.3.5)vulnerable

atlassian · crowd (up to 3.4.4)vulnerable

References (7)

http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/108637