[CWD-6139] RCE (Remote Code Execution) in Crowd Data Center and Server

Type: Public Security Vulnerability
Resolution: Fixed
Priority: High
Fix Version/s: 5.1.6, 5.2.1
Affects Version/s: 3.4.6, 5.2.0
Component/s: None
Labels:

CVSS Score:
8
CVSS Severity:
High
CVE ID:
CVE-2023-22521
Vulnerability Source:
Bug Bounty
Credit:
m1sn0w
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Classes:

RCE (Remote Code Execution)
Affected Product(s):

Crowd Data Center, Crowd Server

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6
Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1

See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).

This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program

Form Name

ihor.zozuliak added a comment - 02/Dec/2023 9:36 AM - edited

Does it affect version 4.3.5?

ihor.zozuliak added a comment - 02/Dec/2023 9:36 AM - edited Does it affect version 4.3.5?

prodsec-jac-bot made changes - 29/Nov/2023 6:46 PM

Status

Original: Published [ 12873 ]

New: Published [ 12873 ]

Cenk Morkan added a comment - 27/Nov/2023 9:29 AM

Hello,

does it affect Embedded Crowd also?

(Atlassian Embedded Crowd - Administration Plugin - 5.0.0-m02) as example...

Cenk

Cenk Morkan added a comment - 27/Nov/2023 9:29 AM Hello, does it affect Embedded Crowd also? ( Atlassian Embedded Crowd - Administration Plugin - 5.0.0-m02) as example... BR Cenk

prodsec-jac-bot made changes - 21/Nov/2023 6:03 PM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Zachary Echouafni made changes - 17/Nov/2023 3:09 PM

Description

Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2.0 of Crowd Data Center and Server.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

* Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1

See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).

This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program

New: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6
* Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1

See the release notes ([https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html]). You can download the latest version of Crowd Data Center and Server from the download center ([https://www.atlassian.com/software/crowd/download-archive]).

This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program

Security Metrics Bot made changes - 17/Nov/2023 2:22 PM

Fix Version/s

New: 5.1.6 [ 105948 ]

Security Metrics Bot made changes - 17/Nov/2023 2:16 PM

Affects Version/s

Original: 5.1.4 [ 105150 ]

Pawel Cieszko made changes - 17/Nov/2023 2:15 PM

Affects Version/s	Original: 5.1.0 [ 100694 ]
Affects Version/s		New: 5.1.4 [ 105150 ]

Pawel Cieszko made changes - 17/Nov/2023 2:15 PM

Affects Version/s

New: 5.1.0 [ 100694 ]

Pawel Cieszko made changes - 17/Nov/2023 2:13 PM

Affects Version/s

New: 3.4.6 [ 86993 ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 14/Nov/2023 7:31 PM

Updated:: 02/Dec/2023 9:46 AM

Resolved:: 21/Nov/2023 6:03 PM

Details

Description

Attachments

Forms

Activity

Collapse comment: ihor.zozuliak added a comment - 02/Dec/2023 9:36 AM, Edited by ihor.zozuliak - 02/Dec/2023 9:46 AM

Expand comment: ihor.zozuliak added a comment - 02/Dec/2023 9:36 AM, Edited by ihor.zozuliak - 02/Dec/2023 9:46 AM

Collapse comment: Cenk Morkan added a comment - 27/Nov/2023 9:29 AM

Expand comment: Cenk Morkan added a comment - 27/Nov/2023 9:29 AM

People

Dates