Atlassian Crowd 2.x < 2.11.0 Information Disclosure
Medium Nessus Network Monitor Plugin ID 9903
SynopsisThe remote web server hosts an application that is vulnerable to an information disclosure attack vector.
DescriptionThe version of Crowd installed on the remote host is 2.x, earlier than 2.11.0 and is affected by a flaw in the 'ApplicationLinkRequestFactoryFactoryImpl.createRequest' function that is triggered when handling URIs. With a specially crafted URIs string, a context-dependent attacker can disclose potentially sensitive information.
SolutionUpdate to Crowd version 2.11.0 or later.