Is CVE-2019-11580 actively exploited?

CVE-2019-11580 has no public evidence of in-the-wild exploitation as of 2025-10-24.

What is the CVSS score for CVE-2019-11580?

CVE-2019-11580 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2019-11580?

Patch guidance is available from atlassian security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2019-11580.

Fix CVE-2019-11580 - CRITICAL atlassian crowd

Q: Which products are affected by CVE-2019-11580?

5 products: atlassian crowd, atlassian crowd, atlassian crowd, atlassian crowd, atlassian crowd.

Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: NVD-CWE-noinfo

Metadata

Primary Vendor: ATLASSIAN
Published: 6/3/2019
Last Modified: 10/24/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

atlassian : crowdatlassian : crowdatlassian : crowdatlassian : crowdatlassian : crowd

Remediation Guidance

Executive Summary

View on NIST NVD