Crowd Security Advisory 2008-10-14 - Parameter Injection Vulnerability

In this advisory:

Parameter Injection Vulnerability in Crowd

Severity

Atlassian rates this vulnerability as critical, according to the scale published in Crowd Security Advisories and Fixes. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a flaw which would allow a malicious user (hacker) to inject their own values into a Crowd request by adding parameters to the URL string. This would allow a hacker to bypass Crowd's security checks and perform actions that they are not authorised to perform.

Risk Mitigation

To address the issue, you should upgrade Crowd as soon as possible. Please follow the instructions in the 'Fix' section below. If you judge it necessary, you can block all untrusted IP addresses from accessing Crowd.

Vulnerability

A hacker can design a URL string containing parameters which perform specific actions on the Crowd server, bypassing Crowd's security checks. This is because Crowd does not adequately sanitise user input before applying it as an action on the server.

Exploiting this issue could allow an attacker to access or modify data and compromise the Crowd application.

The following Crowd versions are vulnerable: All versions from 1.0 to 1.5.0 inclusive.

Fix

Please download the relevant upgrade file for your version of Crowd from the download centre as follows:

Last modified on Oct 14, 2014

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.