Atlassian Crowd
Atlassianidentity6 credentials
Database Password
atlassian-crowd / database-password
Crowd stores configuration in crowd.cfg.xml in the Crowd home directory. The file includes database connection properties such as the database username and password used by Crowd to connect to its relational database.
Looks like
pattern<property name="hibernate\.connection\.username">[^<]+</property>\s*<property name="hibernate\.connection\.password">[^<]*</property><property name="hibernate\.connection\.password">[^<]*</property>Location
$CROWD_HOME/crowd.cfg.xmlCrowd home configuration file generated by the setup wizard
Crowd home backups, migration bundles, snapshots, support exports
Notes
Crowd is an identity service. Database access can expose user directory configuration, application trust configuration, groups, memberships, and stored credential metadata for multiple Atlassian applications that depend on Crowd.
Local User / Administrator Password
atlassian-crowd / local-user-admin-password
Crowd internal-directory users, including administrators created during setup or by operators, authenticate with passwords stored in Crowd's database. External directories can delegate password verification to LDAP, Active Directory, or other directory connectors.
Looks like
patterncwd_user.*credential[^\s:@]+:[^\s:]+Location
Crowd internal directory tables, including cwd_user credential data
/crowd/console/login.actionCrowd administration console login
Crowd REST API and application authentication flows
scripts and service integrations that embed Crowd usernames and passwords
Notes
There is no universal shipped Crowd administrator password. The setup flow or an operator creates administrator credentials. Users may be stored locally in Crowd or resolved from delegated directories, so the storage location depends on directory configuration.
Application Password
atlassian-crowd / application-password
Crowd applications authenticate to the Crowd framework as clients using an application name and password. Atlassian's application setup wizard explicitly asks for the password the application will use when it authenticates against Crowd.
Looks like
pattern(application\.name|application\.password|crowd\.application\.name|crowd\.application\.password)\s*=\s*[^\r\n]+<password>[^<]*</password>Location
Crowd application records and application password storage
client application crowd.properties or equivalent connector config
application deployment templates, containers, and automation repos
application backups and Crowd database dumps
Notes
This is a service-to-service credential rather than a human login. A leaked application password can let a client impersonate a configured application to Crowd, subject to the application's remote-address and directory permissions.
LDAP / Directory Bind Password
atlassian-crowd / directory-bind-password
Crowd directory connectors can authenticate to LDAP, Active Directory, and other external directories using a bind account and password. The bind credential lets Crowd search or update the external directory according to connector permissions.
Looks like
pattern(ldap|directory|connector).*(password|credential)Location
Crowd directory connector configuration records
exported or templated directory connector configuration
Crowd database backups, migration bundles, and support exports
Notes
Bind-account blast radius depends on the external directory. A read-only LDAP bind may expose account and group data; a privileged bind may support password changes or directory modification.
Personal Access Token
atlassian-crowd / personal-access-token
Newer Crowd Data Center versions support personal access tokens for users and scripts. Like other Atlassian Data Center PATs, they are bearer credentials used instead of embedding a username and password.
Looks like
patternAuthorization:\s*Bearer\s+[^\s]+Location
CROWD_TOKEN, CROWD_PATREST scripts, provisioning tools, directory sync automation
HTTP client debug logs when Authorization headers are printed
CI/CD variables and service secret stores
Notes
A PAT carries the permissions of the creating user until expiration or revocation. If a Crowd PAT is not available in a deployed version, integrations typically fall back to username/password or application credentials.
pdkinstall Development Plugin
atlassian-crowd / pdkinstall-development-plugin
A Crowd security advisory describes CVE-2019-11580, where the pdkinstall development plugin was incorrectly enabled in Crowd and Crowd Data Center. The issue is a public backdoor-like administrative exposure, but it is not a literal shipped password.
Looks like
patternpdkinstallLocation
affected Crowd web application exposing the development plugin
Notes
Do not add a default username or password for this issue: the advisory and CVE document an incorrectly enabled development plugin, not a literal credential. It is included because it is a known public backdoor-style Crowd exposure relevant to credential and identity compromise triage.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.