[CWD-3904] ClassLoader manipulation vulnerability

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.4.12, 2.5.7, 2.6.7, 2.7.2
Affects Version/s: 2.4, 2.5, 2.6, 2.7, 2.7.1
Component/s: None
Labels:
- advisory
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Crowd.

The vulnerability affects all supported version of Crowd. For more information see the full advisory.

mentioned in: Crowd Security Advisory 2014-05-21; Crowd Security Advisory 2014-05-21; Crowd Security Advisory 2014-05-21; Crowd Security Advisory 2014-05-21; Crowd Security Advisory 2014-05-21; Page Loading...; Page Loading...

(2 mentioned in)

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:06 AM

Workflow	Original: Simplified Crowd Development Workflow v2 - restricted [ 1511133 ]	New: JAC Bug Workflow v3 [ 3365440 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Rachel Robins made changes - 13/Sep/2016 8:53 AM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 202974 ]

New: This issue links to "Page (Atlassian Documentation)" [ 202974 ]

Rachel Robins made changes - 13/Sep/2016 8:50 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 202974 ]

Wazza made changes - 17/Aug/2016 5:39 AM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 194869 ]

New: This issue links to "Page (Atlassian Documentation)" [ 194869 ]

Wazza made changes - 17/Aug/2016 5:36 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 194869 ]

Owen made changes - 07/Jul/2016 6:19 AM

Workflow

Original: Simplified Crowd Development Workflow v2 [ 1393293 ]

New: Simplified Crowd Development Workflow v2 - restricted [ 1511133 ]

Owen made changes - 12/May/2016 2:52 AM

Workflow

Original: Crowd Development Workflow v2 [ 685620 ]

New: Simplified Crowd Development Workflow v2 [ 1393293 ]

Andrew made changes - 19/Apr/2016 1:52 AM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 170069 ]

New: This issue links to "Page (Atlassian Documentation)" [ 170069 ]

Andrew made changes - 19/Apr/2016 1:49 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 170069 ]

Craig Davies (Inactive) made changes - 20/Jul/2015 10:53 AM

Remote Link

Original: This issue links to "Page (Extranet)" [ 65210 ]

New: This issue links to "Page (Extranet)" [ 65210 ]

Assignee:: Diego Berrueta

Reporter:: VitalyA

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 12/May/2014 5:43 AM

Updated:: 15/Aug/2019 7:06 AM

Resolved:: 12/May/2014 5:45 AM

Crowd Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates