Crowd Security Advisory 2008-10-14 - Parameter Injection Vulnerability
In this advisory:
Parameter Injection Vulnerability in Crowd
Atlassian rates this vulnerability as critical, according to the scale published in Crowd Security Advisories and Fixes. The scale allows us to rank a vulnerability as critical, high, moderate or low.
We have identified and fixed a flaw which would allow a malicious user (hacker) to inject their own values into a Crowd request by adding parameters to the URL string. This would allow a hacker to bypass Crowd's security checks and perform actions that they are not authorised to perform.
To address the issue, you should upgrade Crowd as soon as possible. Please follow the instructions in the 'Fix' section below. If you judge it necessary, you can block all untrusted IP addresses from accessing Crowd.
A hacker can design a URL string containing parameters which perform specific actions on the Crowd server, bypassing Crowd's security checks. This is because Crowd does not adequately sanitise user input before applying it as an action on the server.
Exploiting this issue could allow an attacker to access or modify data and compromise the Crowd application.
The following Crowd versions are vulnerable: All versions from 1.0 to 1.5.0 inclusive.
Please download the relevant upgrade file for your version of Crowd from the download centre as follows:
- If you have Crowd 1.5.0 — upgrade to Crowd 1.5.1 (see the release notes and upgrade guide).
- If you have Crowd 1.4.x — upgrade to Crowd 1.4.7 (see the release notes and upgrade guide).
- If you have Crowd 1.3.x — upgrade to Crowd 1.3.3 (see the release notes and upgrade guide).
- If you have Crowd 1.2.x — upgrade to Crowd 1.2.4 (see the release notes and upgrade guide).