7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.974 High
EPSS
Percentile
99.9%
The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.
An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.
#TRUSTED 95c9faa894e1b1b9e8747dc835edf5d589a628125181bf6199dd206d7eeccb57f85e61fe4b53cd990f22c963bc2928e8a5681e7a3bb44326d4c7d3a66e8e405eaa35869b16ad3a9141cbf47ecf18e8e128438974bca098388c93131c2696b25e18b8351614221f5afc39989fddd5518cacfab3b763f5e0b90fcbc7f74507db15779f0e7382c9665eed65b44de5835534649cb385bdb749bb84fe8b95e7248c6ec97d0ab228e7d0e18a5aaf70f6d774b14a510dbf1eb9210122dd6e93b39b10639c84e5b24c9cc6afc6fff65ee8da3c4c1cf2c2ade7da3b481d937633a0863dd7ef0ffc49e414362b3fcb26ed21753c1f3beb8ef005b0ff511f6f7adb50189bdb244a9a17f8e9af33c072b62db5b4833804469735eee9c0e52ed8d33deebe57e9e820eb1d770b329267e4b89994a33cddb17c8b89afbf156bc71b8886de07f687f935275971f7b97422949d7a4f34bbc6d08ccccfdc267d848b9397a84ec87b1e925e1d9ce59bdcb2e94644beb737eadfa8f96202656c80b2b1c7a3e0c473391c34d74f3ad7b0a48630f1e1f8b0d713874a82454fe0f48789a0686e7e79999e4d13d692579b370ffecbc41388af9099927f7135b30d81c863cafcc155a2bd6d4f2c7675766c168d0fa88959904cf89d508b47da5c6f528ebc4195e0475845896f35b8bb11a4282452bc1166765486c978695a638d8a59fc8974ec0e064bbe4f0d
#TRUST-RSA-SHA256 b0b1ea919a4477bbbf9015637916ef94d6544bcdb193ec08f913d2e3462d42bcbf8e063b7cf511efb8f095a742e58c8079d1354da71dc66500f23a233543b33147db908c8b1e4702d5b3e6f5cfdfaa0aa9bbadf107221e2bf3f9ed0f3409b12386666c15cd605f643f6629aae91f33d35992dff5af2697723b389c9fa0ace5bc11d430e050902e93a81604679162b20e4a521e26c85418b65b84dafd941a7de5c84f41051a90a8037e759513cb9c8649528a7b6cc5ef98ef5d9bdfda6445d6cacb7e1d01806bf70018c3cbe426ec0ebe84b004ce575f161c37452554c5a3f9438f20791248d378f714607e9246f40336e780aa54ca652b60dd8016ae896da61a80b26c05138229526f0327c0a271257d390455cfaab1489cebfc596ba09c81e8c2d72d4d4036b2531015bf185adabdf4d1116ab7ccc2e046b145a83f84639a902f6f2d1b66cc459451f9a00879897ab2e8f4ce1da9ce182b32b3e6e58050976ac4d1be0eaa68fe4096e3d82fb0de23d6a9211c9b5dac2cf1f8b3303dec535c824d70725da151325c478a55ddcbc14c67cdc492da8eb1b437f3cdf62b8a754f03c25a63b3589507fd88dec4a60ff4d69d42999456f9f4c8fa371128be0763b586f5b09d94200a7f0b147f241c01242b9f310c168daa02f1e251e1f88d14adadcf3ba8d0f07e4e67c8f605b1f359f887f88e87cf765206884bb7ebc9f8bc9e8a82
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(138553);
script_version("1.23");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");
script_cve_id("CVE-2019-11580");
script_bugtraq_id(108637);
script_xref(name:"IAVA", value:"2020-A-0499-S");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2020-0129");
script_xref(name:"CEA-ID", value:"CEA-2019-0571");
script_name(english:"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)");
script_set_attribute(attribute:"synopsis", value:
"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.
An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary
plugins, which permits remote code execution.");
# https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f66fbb1c");
script_set_attribute(attribute:"see_also", value:"https://www.corben.io/atlassian-crowd-rce/");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11580");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/22");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:crowd");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("crowd_detect.nasl");
script_require_keys("www/crowd");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 8095);
exit(0);
}
include('http.inc');
include('install_func.inc');
appname = 'Atlassian Crowd';
app_id = 'crowd';
# Exit if app is not detected on the target
get_install_count(app_name:app_id, exit_if_zero:TRUE);
port = get_http_port(default:8095);
install = get_single_install(app_name:app_id, webapp:TRUE, port:port);
base_path = install['path'];
url = '/admin/uploadplugin.action';
res = http_send_recv3(
method : 'POST',
port : port,
item : base_path + url,
exit_on_fail : TRUE
);
if ('400' >< res[0] && ('Unable to install plugin' >< res[2] || 'All plugins could not be validated' >< res[2]))
{
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(http_last_sent_request()),
output : res[0] + res[2]
);
}
else
{
audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));
}
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.974 High
EPSS
Percentile
99.9%