Crowd Atlassian Crowd

Do you want an email whenever new security vulnerabilities are reported in Atlassian Crowd?

By the Year

In 2021 there have been 1 vulnerability in Atlassian Crowd with an average score of 5.3 out of ten. Last year Crowd had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Crowd in 2021 could surpass last years number. Last year, the average CVE base score was greater by 2.20

Year Vulnerabilities Average Score
2021 1 5.30
2020 1 7.50
2019 3 7.40
2018 0 0.00

It may take a day or so for new Crowd vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Atlassian Crowd Security Vulnerabilities

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2

CVE-2020-36240 5.3 - Medium - March 01, 2021

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Information Disclosure

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1

CVE-2019-20104 7.5 - High - February 06, 2020

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.

XEE

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2

CVE-2019-15005 4.3 - Medium - November 08, 2019

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.

AuthZ

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds

CVE-2019-11580 9.8 - Critical - June 03, 2019

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4

CVE-2018-20238 8.1 - High - February 13, 2019

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.

Session Fixation

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which

CVE-2012-2926 9.1 - Critical - May 22, 2012

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Atlassian Jira or by Atlassian? Click the Watch button to subscribe.

subscribe