发布时间:2019-07-18 12:36:39,来源:中国信息通信研究院
安全漏洞通告 |
类型:代码执行漏洞 影响范围:Atlassian 危害级别:高危 |
内容概述 |
Atlassian Crowd和Atlassian Crowd Data Center中存在命令执行漏洞。攻击者可利用该漏洞执行任意代码/命令。CVE编号:CVE-2019-11580。 受影响版本: Atlassian Crowd 3.4.3 Atlassian Crowd 3.4 Atlassian Crowd 3.3.4 Atlassian Crowd 3.3.3 Atlassian Crowd 3.3.1 Atlassian Crowd 3.3 Atlassian Crowd 3.2.1 - 3.2.7 Atlassian Crowd 3.2 Atlassian Crowd 3.1.5 Atlassian Crowd 3.1 Atlassian Crowd 3.0.4 Atlassian Crowd 2.11.1 Atlassian Crowd 2.11 Atlassian Crowd 2.10.3 Atlassian Crowd 2.10.1 Atlassian Crowd 2.9.7 Atlassian Crowd 2.9.1 - 2.9.5 Atlassian Crowd 2.9 Atlassian Crowd 2.8.8 Atlassian Crowd 2.8.3 Atlassian Crowd 2.7 Atlassian Crowd 2.6.0 - 2.6.3 Atlassian Crowd 2.5.3 - 2.5.4 Atlassian Crowd 2.5.0 - 2.5.2 Atlassian Crowd 2.4.9 Atlassian Crowd 2.4.1 Atlassian Crowd 2.4 Atlassian Crowd 2.3.6 - 2.3.8 Atlassian Crowd 2.3.1 - 2.3.4 Atlassian Crowd 2.2.9 Atlassian Crowd 2.2.7 Atlassian Crowd 2.2.4 Atlassian Crowd 2.2.2 Atlassian Crowd 2.1.1 - 2.1.2 Atlassian Crowd 2.1 |
详细说明 |
Atlassian Crowd和Atlassian Crowd Data Center都是澳大利亚Atlassian公司的产品。Atlassian Crowd是一套基于Web的单点登录系统。该系统为多用户、网络应用程序和目录服务器提供验证、授权等功能。Atlassian Crowd Data Center是Crowd的集群部署版。 Atlassian Crowd和Crowd Data Center在其某些发行版本中错误地启用了pdkinstall开发插件。从而使攻击者可以在未授权访问的情况下对Atlassian Crowd和Crowd Data Center安装任意的恶意插件,攻击者借用此漏洞安装的恶意插件可以在目标服务器上执行任意命令,从而获得服务器权限。 |
处理方法和建议 |
1、漏洞修复建议: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://confluence.atlassian.com/x/3ADVOQ 2、参考链接: https://nvd.nist.gov/vuln/detail/CVE-2019-11580 |