Atlassian Crowd和Atlassian Crowd Data Center命令执行漏洞

内容概述

Atlassian   Crowd和Atlassian Crowd Data Center中存在命令执行漏洞。攻击者可利用该漏洞执行任意代码/命令。CVE编号：CVE-2019-11580。

受影响版本：

Atlassian   Crowd 3.4.3

Atlassian   Crowd 3.4

Atlassian   Crowd 3.3.4

Atlassian   Crowd 3.3.3

Atlassian   Crowd 3.3.1

Atlassian   Crowd 3.3

Atlassian   Crowd 3.2.1 - 3.2.7

Atlassian   Crowd 3.2

Atlassian   Crowd 3.1.5

Atlassian   Crowd 3.1

Atlassian   Crowd 3.0.4

Atlassian   Crowd 2.11.1

Atlassian   Crowd 2.11

Atlassian   Crowd 2.10.3

Atlassian   Crowd 2.10.1

Atlassian   Crowd 2.9.7

Atlassian   Crowd 2.9.1 - 2.9.5

Atlassian   Crowd 2.9

Atlassian   Crowd 2.8.8

Atlassian   Crowd 2.8.3

Atlassian   Crowd 2.7

Atlassian   Crowd 2.6.0 - 2.6.3

Atlassian   Crowd 2.5.3 - 2.5.4

Atlassian   Crowd 2.5.0 - 2.5.2

Atlassian   Crowd 2.4.9

Atlassian   Crowd 2.4.1

Atlassian   Crowd 2.4

Atlassian   Crowd 2.3.6 - 2.3.8

Atlassian   Crowd 2.3.1 - 2.3.4

Atlassian   Crowd 2.2.9

Atlassian   Crowd 2.2.7

Atlassian   Crowd 2.2.4

Atlassian   Crowd 2.2.2

Atlassian   Crowd 2.1.1 - 2.1.2

Atlassian   Crowd 2.1

详细说明

Atlassian   Crowd和Atlassian Crowd Data Center都是澳大利亚Atlassian公司的产品。Atlassian Crowd是一套基于Web的单点登录系统。该系统为多用户、网络应用程序和目录服务器提供验证、授权等功能。Atlassian   Crowd Data Center是Crowd的集群部署版。

Atlassian   Crowd和Crowd Data Center在其某些发行版本中错误地启用了pdkinstall开发插件。从而使攻击者可以在未授权访问的情况下对Atlassian   Crowd和Crowd Data Center安装任意的恶意插件，攻击者借用此漏洞安装的恶意插件可以在目标服务器上执行任意命令，从而获得服务器权限。

处理方法和建议

1、漏洞修复建议：

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：

https://confluence.atlassian.com/x/3ADVOQ

2、参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2019-11580