CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
56.0%
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowdβs REST API under the {{usermanagement}}Β path.
This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is none by default.
The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
Affected versions:
Fixed versions:
Mitigation/Workaround:
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If youβre unable to upgrade Crowd, a temporary mitigation is to remove or validate any Remote Addresses for {{crowd}} application in the Crowd product. You can navigate to the Remote Address configuration by following the document [here|https://confluence.atlassian.com/crowd/specifying-an-application-s-address-or-hostname-25788433.html], and remove any remote addresses accordingly.
Additionally, change password for the {{crowd}} application to a strong password especially if a remote address is necessary.
For additional details, please see full advisory here: [https://confluence.atlassian.com/x/UXurRQ]