CVE DATABASE / CVE-2019-11580
CVE-2019-11580
Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
Confirmed exploited in the wild. Added 2021-11-03.
Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.
Summary
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/108637
- https://jira.atlassian.com/browse/CWD-5388
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11580
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-24. Always verify against the vendor advisory before acting.