CVE-2019-11580

CVE-2019-11580 is a critical-severity vulnerability in Atlassian Crowd with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).

Key facts

Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

CVE-2019-11580: Atlassian Crowd pdkinstall Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

CVE CVSS v3 EPSS KEV CWE
CVE-2019-11580 9.8 (CRITICAL) 0.95355 (99.86th percentile) Yes Not specified

Summary

Atlassian Crowd and Crowd Data Center contained the pdkinstall development plugin incorrectly enabled in release builds. This allows attackers to send unauthenticated or authenticated requests to install arbitrary plugins, resulting in remote code execution.

Background

Atlassian Crowd is a centralized identity management and single sign-on (SSO) solution used by enterprises to manage application authentication. Crowd Data Center is the clustered, high-availability deployment option. The pdkinstall plugin is a development tool intended for plugin installation in non-production environments. Its presence in release builds was an oversight.

Root Cause

The specific CWE identifier is not provided in the source data. The vulnerability class aligns with exposed debug or development functionality: the pdkinstall plugin, which should have been restricted to development builds, was left enabled in production release builds. This exposed a plugin installation endpoint without adequate authorization checks, violating the principle of least privilege and secure-by-default configuration.

Impact

The vulnerability is rated CRITICAL with a CVSS v3.1 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The metrics reflect:

  • Network exploitable (AV:N) with no authentication required (PR:N)
  • Low attack complexity (AC:L) and no user interaction needed (UI:N)
  • High impact across all three pillars: Confidentiality, Integrity, and Availability (C:H/I:H/A:H)

An attacker exploiting this flaw gains full administrative control over the Crowd instance, enabling account takeover, data exfiltration, lateral movement to integrated applications, and service disruption.

Exploitation Walkthrough

Ethics Caveat: This section describes the attack concept for defensive purposes only. Do not attempt to exploit systems without explicit authorization.

The exploitation pathway follows these conceptual stages:

  1. Reconnaissance: The attacker identifies an exposed Crowd or Crowd Data Center instance, typically via service banners or known Atlassian endpoints.
  2. Plugin Installation: The attacker submits a crafted request to the pdkinstall endpoint. Because the plugin lacks proper authorization checks, the request is processed even without valid credentials.
  3. Code Execution: The installed plugin runs with the privileges of the Crowd application server, yielding remote code execution on the underlying host.

Defenders should audit access logs for unusual plugin installation events and restrict Crowd administrative interfaces to trusted networks.

Affected and Patched Versions

Affected versions:

  • All versions from 2.1.0 before 3.0.5
  • All versions from 3.1.0 before 3.1.6
  • All versions from 3.2.0 before 3.2.8
  • All versions from 3.3.0 before 3.3.5
  • All versions from 3.4.0 before 3.4.4

Patched versions:

  • 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 and later

Remediation

  1. Upgrade immediately to a fixed version (3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4, or later). Atlassian has removed the pdkinstall plugin from release builds in these versions.
  2. Compensating controls (if immediate patching is not possible):
    • Restrict network access to the Crowd instance to authorized administrative hosts only.
    • Deploy a Web Application Firewall (WAF) rule to block requests to the pdkinstall endpoint.
    • Monitor for unauthorized plugin installation attempts.
    • Validate that no unexpected plugins are currently installed via the Crowd administration console.

Detection

  • Review Crowd application logs for plugin installation events originating from unexpected source IPs or unauthenticated sessions.
  • Inspect the list of installed plugins for any entries not explicitly approved by the operations team.
  • Correlate WAF or reverse-proxy logs with known pdkinstall URI patterns.
  • Use endpoint detection and response (EDR) tools to monitor for anomalous process spawning from the Crowd application server user context.

Assessment

With an EPSS score of 0.95355 (99.86th percentile) and confirmed inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog since 2021-11-03, this vulnerability is actively exploited in the wild and should be treated as an immediate patching priority.

Key lessons:

  1. Development artifacts must be stripped from release builds. Build pipelines should include automated checks to ensure debug plugins, test endpoints, and diagnostic tools are not packaged in production artifacts.
  2. Authentication and authorization must apply to all administrative endpoints. The absence of authentication on a plugin installation interface is a critical architectural failure.

References

Frequently asked questions

What is CVE-2019-11580?
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
How severe is CVE-2019-11580?
CVE-2019-11580 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-11580 being actively exploited?
Yes. CVE-2019-11580 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-11580?
CVE-2019-11580 affects Atlassian Crowd. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-11580?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-11580 have an EU (EUVD) identifier?
Yes. CVE-2019-11580 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-3250. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-11580 published?
CVE-2019-11580 was published on 2019-06-03 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Atlassian Crowd

All CVEs affecting Atlassian Crowd →