CVE-2022-43782

9.8CRITICAL

Key Information

Vendor: Atlassian
Status: Crowd Data Center; Crowd Server
Vendor: CVE Published:; 17 November 2022

Summary

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

Affected Version(s)

Crowd Data Center >= before 3.0.0

Crowd Data Center = before 4.4.4

Crowd Data Center = before 5.0.3

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Nov 17, 2022
Vulnerability Reserved.
Oct 26, 2022

Collectors

NVD DatabaseMitre Database

Credit

Ashish Kotha