Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Security Advisory FAQ - Crowd Server and Data Center 2019-05-22

Recently a new critical severity security advisory was released which affects a number of instances running Crowd Server and Crowd Data Center: Crowd Security Advisory 2019-05-22. Our aim is to provide some guidance on what to do to fix and workaround this vulnerability.

What is the CVE?

The security vulnerability Atlassian disclosed in May 22nd 2019 is of Critical Severity. You can read some examples and description on the potential impact of this vulnerability here: Severity Levels for Security Issues. Most of our current Crowd versions are affected you can check the full list of affected versions directly into the CVE page. Here is a representation of the affected versions:

  • 2.1.0 <= version < 3.0.5
  • 3.1.0 <= version < 3.1.6
  • 3.2.0 <= version < 3.2.8
  • 3.3.0 <= version < 3.3.5
  • 3.4.0 <= version < 3.4.4

For more details on the CVE and full list of affected versions, check here:

This vulnerability allows attackers to send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.

Which versions have the fix?

The following versions include a fix for this:

  • 3.0.5

  • 3.1.6

  • 3.2.8

  • 3.3.5

  • 3.4.4

Upgrading to these versions will fix the vulnerability. Upgrading is the ideal, long-term solution. However, not every instance can be easily upgraded and might need to follow the workaround.

Is there a workaround?

Yes. Removing the pdkinstall-plugin will mitigate the issue. This plugin is for development testing and release versions had this plugin incorrectly enabled, so this will not affect any Crowd functionality.

Here is how to disable this plugin:

  1. Stop Crowd

  2. Find and delete any pdkinstall-plugin jar files from the Crowd installation directory and the data directory

  3. Remove the pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/

  4. Start Crowd

  5. Check that there are no pdkinstall-plugin jar files in the installation directory or the data directory.

What is the quickest way to resolve this?

Right now, the workaround is the easier way out of this CVE. Crowd upgrades can be tricky for anyone. As much as we need to take customers out of this, upgrading requires:

  • Planning

  • Test instances

  • Downtime

  • Backups

  • Approval

What is the impact of disabling the pdkinstall-plugin for my Instance?

Should be none. This plugin was never intended to reach release and provides no vital functionality to Crowd.

For anyone worried, you can rest assured that this workaround will not affect any core functionality of Crowd, since this is a plugin used for testing when developing Crowd.

What if I was not notified of this?

Take a look at this link:

Marketing email preferences

There you should be able to subscribe to the Security Advisories for your own specific products.

Is the Cloud platform affected by this?

No. If you are on Cloud there is no need to worry about this CVE.


Asking questions and replying

To streamline the process and make sure everyone is seen when asking for help, we locked the replies here. You can go ahead and ask the Community a question so your request is not lost:

Ask a question - Atlassian Community


Comments for this post are closed

Community moderators have prevented the ability to post new comments.

AUG Leaders

Atlassian Community Events