module
Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
| Disclosed |
|---|
| 2019-05-22 |
Disclosed
2019-05-22
Description
This module can be used to upload a plugin on Atlassian Cloud via
the pdkinstall development plugin as an unauthenticated attacker.
The payload is uploaded as a JAR archive containing a servlet using
a POST request to /crowd/admin/uploadplugin.action. The check command will
check that the /crowd/admin/uploadplugin.action page exists and that it
responds appropriately to determine if the target is vulnerable or not.
the pdkinstall development plugin as an unauthenticated attacker.
The payload is uploaded as a JAR archive containing a servlet using
a POST request to /crowd/admin/uploadplugin.action. The check command will
check that the /crowd/admin/uploadplugin.action page exists and that it
responds appropriately to determine if the target is vulnerable or not.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.