ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Atlassian Crowd Exploit - CVE-2019-11580

Risk Factors

An unauthenticated attacker can leverage publicly-available code to exploit this vulnerability. A successful exploit can result in the attacker gaining control of the server and launching attacks on other network devices.

Kill Chain

Exploitation

Risk Score

83

Detection diagram
Next in Exploitation: CVE-2023-4966 Citrix NetScaler ADC and NetScaler Gateway Exploit Attempt

Attack Background

Atlassian Crowd and Crowd Data Center are centralized identity management applications for enterprises. These applications include a pdkinstall development plugin that is incorrectly enabled. An attacker can exploit this plugin by sending an HTTP POST request (with a URI that ends with /admin/uploadplugin.action) to the application. The HTTP request includes a combination of one or more Java Archive (JAR) files for installing a malicious plugin. After the application receives the request, the application installs the plugin from the JAR files and runs malicious code on the server.

Mitigation Options

Upgrade to a fixed version

If unable to upgrade, delete any pdkinstall-plugin JAR files from the Crowd installation directory and the data directory and remove the pdkinstall-plugin JAR file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right