CVE-2022-43782

9.8CRITICAL

Key Information:

Vendor: Atlassian
Status: Crowd Data Center; Crowd Server
Vendor: CVE Published:; 17 November 2022

Summary

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path.

This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.

The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

Affected Version(s)

Crowd Data Center before 4.4.4

Crowd Data Center before 5.0.3

Crowd Server before 4.4.4

References

https://jira.atlassian.com/browse/CWD-5888

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 17, 2022
Vulnerability Reserved
Oct 26, 2022

Credit

Ashish Kotha