We have learnt that an important security vulnerability has been discovered on Atlassian Crowd.
This vulnerability affects all Standalone versions prior to 2.6.3 (released on June 24th 2013 and fixing this issue) – 2.5.4 excluded.
You will find all technical details in this report from CommandFive. This vulnerability can be exploited by anyone accessing your Crowd REST API, you are particularly impacted if your Crowd server is available on internet.
Ths JIRA issue referring to this problem is here: https://jira.atlassian.com/
To fix this issue, you can:
- Apply a patch available on Crowd 2.1.2 and upwards (patch instructions detailed on Atlassian ticket)
- Do a Crowd upgrade to 2.5.4 or 2.6.3 (mandatory if you use a Crowd version older than 2.1.2)
For all information related to patch instructions you can reach Atlassian via support.atlassian.com.