-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/3ADVOQ . CVE ID: * CVE-2019-11580. Product: Crowd and Crowd Data Center. Affected Crowd and Crowd Data Center product versions: 2.1.0 <= version < 3.0.5 3.1.0 <= version < 3.1.6 3.2.0 <= version < 3.2.8 3.3.0 <= version < 3.3.5 3.4.0 <= version < 3.4.4 Fixed Crowd and Crowd Data Center product versions: * Crowd and Crowd Data Center 3.0.5 have been released with a fix for this issue. * for 3.1.x, Crowd and Crowd Data Center 3.1.6 have been released with a fix for this issue. * for 3.2.x, Crowd and Crowd Data Center 3.2.8 have been released with a fix for this issue. * for 3.3.x, Crowd and Crowd Data Center 3.3.5 have been released with a fix for this issue. * for 3.4.x, Crowd and Crowd Data Center 3.4.4 have been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. Customers who have upgraded Crowd and Crowd Data Center to version 3.0.5 or 3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected. Customers who have downloaded and installed Crowd and/or Crowd Data Center >= 2.1.0 but less than 3.0.5 or who have downloaded and installed Crowd and Crowd Data Center >= 3.1.0 but less than 3.1.6 (the fixed version for 3.1.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.2.0 but less than 3.2.8 (the fixed version for 3.2.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.3.0 but less than 3.3.5 (the fixed version for 3.3.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.4.0 but less than 3.4.4 (the fixed version for 3.4.x) please upgrade your Crowd and Crowd Data Center installations immediately to fix this vulnerability. pdkinstall development plugin incorrectly enabled - CVE-2019-11580 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CWD-5388 . Fix: To address this issue, we've released the following versions containing a fix: * Crowd and Crowd Data Center version 3.0.5 * Crowd and Crowd Data Center version 3.1.6 * Crowd and Crowd Data Center version 3.2.8 * Crowd and Crowd Data Center version 3.3.5 * Crowd and Crowd Data Center version 3.4.4 Remediation: Atlassian recommends customers running a version of Crowd below version 3.3.0 upgrade to version 3.2.8 to avoid https://jira.atlassian.com/browse/CWD-5352, for customers running a version above or equal to 3.3.0 Atlassian recommends to upgrade to the latest version. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Crowd and Crowd Data Center 3.1.x and cannot upgrade to 3.4.4, upgrade to version 3.1.6. If you are running Crowd and Crowd Data Center 3.2.x and cannot upgrade to 3.4.4, upgrade to version 3.2.8. If you are running Crowd and Crowd Data Center 3.3.x and cannot upgrade to 3.4.4, upgrade to version 3.3.5. For a full description of the latest version of Crowd and Crowd Data Center, see the release notes found at https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can download the latest version of Crowd and Crowd Data Center from the download centre found at https://www.atlassian.com/software/crowd/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlzrEM0XHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCtOQ//Vt54hP/5pUrsEuwSG9KWh334 7ZJvUk14Hp1ZvbD/vsBq7v9j781u3iDGvCg2ADEMqqY9bUqikcRDncbeMKXrDnjS 9pdoGpCUcnfDfbADVGQtL9GTfSsH446JPUDZtLl4sMX0ruZ+wVzfMsWP14yM58II 6AWpG1mFP8YL56Nk/tCb8r08vOl1bPtJj4jj+u9q+nIOMRj1an3UDVprJZb0wUjp oNkxbR4Z8bFKxIK12zKmyXDK2Lu9fzB5R9wBAVsHftE8LTYXyP0i0xW3HtFK1TmS cbHYGuaJJuiNl2QEkTZLwJxE7LWwelrDKZlvUey+EVK4auIOK2uXjzJqqEw57Q3d Ti8jhSQvpHXaFhGHU5bX4G1fQHiGAijnsmqeGzre+cTkckKidokPQ2f0+ULRVods Y1RgdCae3SYyATqMn4m0/h78HZy0pSV+lIFbAxxXVnelo360R1cSv/5Y2gnzxL8H VolsmNkhcLdYJmwtDXL9NQCD3fwi8ZWxbZzhSa8Q86H6ZoBmauCYXCu6EwBDbIDN F94RSXXlsvMlIlQtu602SgEfKdaCWwPLATtgKRZdRD3btMq3RFtKbZOKkTM+OoFT n1LIoKzeHzQkpbf7qoJHk7yLWuvXcUDGYIlY2iV7+tGMMvxtmgK8j/eQVYb88xzc 0etO5CUDmAFgBbwLOZg= =k3M1 -----END PGP SIGNATURE-----
