Exploit for Atlassian Crowd pdkinstall arbitrary plugin installation

Name: Exploit for Atlassian Crowd pdkinstall arbitrary plugin installation
Rating: 5 (89 reviews)

2020-12-22 | CVSS 2.2

## https://sploitus.com/exploit?id=SAINT:D25E7B1EADCBDB3AEA5E303651C7CC2C
Added: 12/22/2020  


### Background

[Atlassian Crowd](<https://www.atlassian.com/software/crowd>) is a single sign-on solution for Atlassian products. 

### Problem

Atlassian Crowd and Crowd Data Center incorrectly enabled the pdkinstall development plugin, allowing attackers to install arbitrary plugins, leading to remote code execution. 

### Resolution

[Upgrade](<https://www.atlassian.com/software/crowd/download>) to Atlassian Crowd 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or higher. 

### References

<https://jira.atlassian.com/browse/CWD-5388>  


### Limitations

This exploit creates a servlet which must be manually removed. 

### Platforms

Windows  
Linux