[漏洞预警]CVE-2019-11580/Atlassian Crowd存在未授权文件上传导致远程代码执行

漏洞描述

Atlassian Crowd和Crowd Data Center在其某些发行版本中错误地启用了pdkinstall开发插件。从而使攻击者可以在未授权访问的情况下对Atlassian Crowd和Crowd Data Center安装任意的恶意插件，攻击者借用此漏洞安装的恶意插件可以在目标服务器上执行任意命令，从而获得服务器权限。

CVE编号

CVE-2019-11580

漏洞威胁等级

高危

影响范围

Atlassian Crowd 3.4.3
Atlassian Crowd 3.4
Atlassian Crowd 3.3.4
Atlassian Crowd 3.3.3
Atlassian Crowd 3.3.1
Atlassian Crowd 3.3
Atlassian Crowd 3.2.1 - 3.2.7
Atlassian Crowd 3.2
Atlassian Crowd 3.1.5
Atlassian Crowd 3.1
Atlassian Crowd 3.0.4
Atlassian Crowd 2.11.1
Atlassian Crowd 2.11
Atlassian Crowd 2.10.3
Atlassian Crowd 2.10.1
Atlassian Crowd 2.9.7
Atlassian Crowd 2.9.1 - 2.9.5
Atlassian Crowd 2.9
Atlassian Crowd 2.8.8
Atlassian Crowd 2.8.3
Atlassian Crowd 2.7
Atlassian Crowd 2.6.0 - 2.6.3
Atlassian Crowd 2.5.3 - 2.5.4
Atlassian Crowd 2.5.0 - 2.5.2
Atlassian Crowd 2.4.9
Atlassian Crowd 2.4.1
Atlassian Crowd 2.4
Atlassian Crowd 2.3.6 - 2.3.8
Atlassian Crowd 2.3.1 - 2.3.4
Atlassian Crowd 2.2.9
Atlassian Crowd 2.2.7
Atlassian Crowd 2.2.4
Atlassian Crowd 2.2.2
Atlassian Crowd 2.1.1 - 2.1.2
Atlassian Crowd 2.1

漏洞复现

下载受漏洞影响的Atlassian Crowd(使用2.11.0)

受漏洞影响的Atlassian Crowd

使用payload进行验证

使用payload进行验证

处置建议

• 1.升级到最新版本(目前最新版本为3.5.0)
• 2.设置访问/crowd/admin/uploadplugin.action的源ip

鸣谢

感谢室友MagicChan3389提供的思路

相关链接

Atlassian Crowd 3.5.0:
https://product-downloads.atlassian.com/software/crowd/downloads/atlassian-crowd-3.5.0.tar.gz
NVD CVE-2019-11580 Detail:
https://nvd.nist.gov/vuln/detail/CVE-2019-11580