Exploit for Atlassian Crowd pdkinstall arbitrary plugin installation

Name: Exploit for Atlassian Crowd pdkinstall arbitrary plugin installation
Rating: 5 (111 reviews)

2020-12-22 | CVSS 8.3

## https://sploitus.com/exploit?id=SAINT:D25E7B1EADCBDB3AEA5E303651C7CC2C
Added: 12/22/2020  


### Background

Atlassian Crowd is a single sign-on solution for Atlassian products. 

### Problem

Atlassian Crowd and Crowd Data Center incorrectly enabled the pdkinstall development plugin, allowing attackers to install arbitrary plugins, leading to remote code execution. 

### Resolution

Upgrade to Atlassian Crowd 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or higher. 

### References

https://jira.atlassian.com/browse/CWD-5388   


### Limitations

This exploit creates a servlet which must be manually removed. 

### Platforms

Windows  
Linux