Security Flaw in Crowd Affects User Management for OpenLDAP
CVE-2019-20902

7.5HIGH

Key Information:

Vendor: Atlassian
Status: Crowd
Vendor: CVE Published:; 1 October 2020

Summary

A vulnerability in Atlassian's Crowd platform allows for the inadvertent reactivation of disabled users from OpenLDAP when upgrading via XML Data Transfer. This flaw impacts versions of Crowd prior to 3.4.6 and those from 3.5.0 before 3.5.1. Organizations using these affected versions may face security risks due to unauthorized user access, highlighting the importance of updating to the latest versions to maintain secure user management practices.

Affected Version(s)

Crowd < 3.4.6

Crowd 3.5.0

Crowd < 3.5.1

References

https://jira.atlassian.com/browse/CWD-5409

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 1, 2020
Vulnerability Reserved
Jul 7, 2020