Documentation for Crowd 2.8. Documentation for earlier versions of Crowd is available too.

Skip to end of metadata
Go to start of metadata

In this advisory:

Parameter Injection Vulnerability in Crowd


Atlassian rates this vulnerability as critical, according to the scale published in Crowd Security Advisories and Fixes. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a flaw which would allow a malicious user (hacker) to inject their own values into a Crowd request by adding parameters to the URL string. This would allow a hacker to bypass Crowd's security checks and perform actions that they are not authorised to perform.

Risk Mitigation

To address the issue, you should upgrade Crowd as soon as possible. Please follow the instructions in the 'Fix' section below. If you judge it necessary, you can block all untrusted IP addresses from accessing Crowd.


A hacker can design a URL string containing parameters which perform specific actions on the Crowd server, bypassing Crowd's security checks. This is because Crowd does not adequately sanitise user input before applying it as an action on the server.

Exploiting this issue could allow an attacker to access or modify data and compromise the Crowd application.

The following Crowd versions are vulnerable: All versions from 1.0 to 1.5.0 inclusive.


Please download the relevant upgrade file for your version of Crowd from the download centre as follows:

  • No labels