Atlassian Crowd
By the Year
In 2021 there have been 1 vulnerability in Atlassian Crowd with an average score of 5.3 out of ten. Last year Crowd had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Crowd in 2021 could surpass last years number. Last year, the average CVE base score was greater by 2.20
Year | Vulnerabilities | Average Score |
---|---|---|
2021 | 1 | 5.30 |
2020 | 1 | 7.50 |
2019 | 3 | 7.40 |
2018 | 0 | 0.00 |
It may take a day or so for new Crowd vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest Atlassian Crowd Security Vulnerabilities
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2
CVE-2020-36240
5.3 - Medium
- March 01, 2021
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
Information Disclosure
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1
CVE-2019-20104
7.5 - High
- February 06, 2020
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
XEE
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2
CVE-2019-15005
4.3 - Medium
- November 08, 2019
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
AuthZ
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds
CVE-2019-11580
9.8 - Critical
- June 03, 2019
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4
CVE-2018-20238
8.1 - High
- February 13, 2019
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
Session Fixation
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which
CVE-2012-2926
9.1 - Critical
- May 22, 2012
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Atlassian Jira or by Atlassian? Click the Watch button to subscribe.
