Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Crowd security updates


Hi there,

My first time to post regarding my setup. Basically I have the following set up on premise.

  • Crowd 2.8.3 (Build:#648 - 2015-06-01)
  • JIRA (v7.4.2#74004-sha1:586975d)
  • Confluence 5.5.2
  • Stash v3.8.0

Upon closer inspection at my deployment, my Crowd is using Struts, and worst, it's vulnerable. I could be using perhaps Struts version 2.3.29.

It states here that Struts can be updated separately without impacting Crowd. However, upon testing, Crowd stopped working after updating struts only. So my only option is to upgrade Crowd to a non-vulnerable version.

There have been a couple of major security updates with Struts that have been released even after the advisory above, with the latest one released only a few days ago which requires me to update to the latest Struts 2.5.16.

Now, I am at a dilemma, that I may need to upgrade both Crowd as well as Struts!

I am however, hesitant to upgrade/patch as it might break or change the way my users (JIRA, Confluence, Stash) operate which I would not want to take risk at.

My question is:

  • Will upgrading Crowd not impose any operational changes that the users will have to adjust to? They operate only in JIRA/Confluence/Stash
  • Follow-up to my question above... which version of Crowd do I apply that can support Struts 2.5.16?

Thank you.



1 answer

0 votes
Marcin Kempa Atlassian Team Apr 03, 2018

Hi @Edmon Uyan,


In general I would suggest relying on the product releases with security updates. While the CWD-4879 ticket mentioned upgrading the struts library only, without upgrading Crowd itself, this was mentioned as a hot fix and may not work with other versions of Crowd and Struts (a specially with major and minor version changes).

Currently Crowd runs on Struts 2.5.13 and it is not using the Struts REST plugin. Therefore it is not vulnerable to the issues such as S2-056S2-055 or S2-054.

Upgrading Crowd to the latest version should not impose any operational change for the users to adjust to. However in general we suggest checking the upgrade process on staging environment and checking features you rely on.


Hope that helps,

Marcin Kempa

hi @Marcin Kempa,

Thank you for that insight.

When you mentioned current Crowd, may i know what version are you referring to?

edited: it's Crowd version 3.1 that you are referring to that has Struts 2.5.13

Another thing, if I only upgrade Crowd, will the remaining apps (JIRA, Stash, Confluence) keep on working without having to upgrade them?

Thank you!

Hi @Edmon Uyan,

That's correct I was referring to Crowd 3.1.x (3.1.3 being the latest one at the moment) 

Regarding the compatibility, there were no breaking changes in the API between Crowd and other products so to my best knowledge Crowd should work with the products versions you've mentioned. Your Stash / Bitbucket Server version is pretty old though and it reached the EOL same with Confluence, I suggest upgrading to more recent ones.


Best Regards,

Marcin Kempa

Hi @Marcin Kempa,

My team was able to upgrade crowd. As it turned out, the new setup states that the maintenance license already expired and that we are running an evaluation version. Any way to allow us to continue using the license of the original setup on this upgraded one?

Also, I am doing a penetration test and found that my Crowd is vulnerable to clickjacking. It asks me to use X-Frame-Options: SAMEORIGIN. Will try this as well and let you know of the result.


Marcin Kempa Atlassian Team Apr 05, 2018

Hi @Edmon Uyan,

That's interesting as this banner should be enabled when the license is evaluation type. Can you double check the license added to this instance?

Regarding clickjacking issue, this was resolved in Crowd 2.9.1, here is the issue where we were tracking it


Best Regards,

Marcin Kempa

Hi@Marcin Kempa,

I guess I will not be needing to specify this host header once I upgraded my Crowd to the latest release.

For the license, is it possible to apply the license I had with the previous Crowd deployment?



Edmon Uyan

Marcin Kempa Atlassian Team Apr 06, 2018

Hi @Edmon Uyan,


Regarding the license for your testing environment you can use a developer license that can be accessed in your license details in


Best Regards,

Marcin Kempa

Hi @Marcin Kempa,


I am now at my license portal. I can only see New Evaluation License  |  New SourceTree License.

Wonder which shall i choose to get a developer license?


Thank you.


Edmon Uyan

Just want to confirm also, that if the trial license for this deployment of crowd expire, will the users fail to authenticate?


Struts seem to have been found to be vulnerable again. It is recommended to upgrade to Struts 2.5.17 or 2.3.35.


Wonder if the current Crowd is vulnerable with this?

Moses Thomas Community Leader Oct 21, 2019

@Marcin Kempa   Hi, I would like to  the disable this  red warning  is  it is  annoying :/ at least  should  be a reminder  to  ask  you  if you  would like to  keep  seeing  this message,  it has been like  that now why red ?

Marcin Kempa Atlassian Team Oct 24, 2019

Hi @Moses Thomas

Unfortunately it is not possible to disable that in Crowd.


Best Regards,

Marcin Kempa

Suggest an answer

Log in or Sign up to answer

Atlassian Community Events