CVE-2022-43782

2022-11-1700:15:18

atlassian

web.nvd.nist.gov

atlassian

crowd

cve-2022-43782

security misconfiguration

rest api

usermanagement

nvd

vulnerability

atlassian crowd 4.4.4

atlassian crowd 5.0.3

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

56.0%

JSON

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd’s REST API under the {{usermanagement}} path.

This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.

The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

Affected configurations

Nvd

Node

atlassiancrowdRange3.0.0–4.4.4

atlassiancrowdRange5.0.0–5.0.3

VendorProductVersionCPE
atlassiancrowd*cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	crowd	*	cpe:2.3:a:atlassian:crowd::::::::

CNA Affected

[
  {
    "vendor": "Atlassian",
    "product": "Crowd Data Center",
    "versions": [
      {
        "version": "before 3.0.0",
        "status": "unaffected"
      },
      {
        "version": "before 4.4.4",
        "status": "affected"
      },
      {
        "version": "before 5.0.3",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Atlassian",
    "product": "Crowd Server",
    "versions": [
      {
        "version": "before 3.0.0",
        "status": "unaffected"
      },
      {
        "version": "before 4.4.4",
        "status": "affected"
      },
      {
        "version": "before 5.0.3",
        "status": "affected"
      }
    ]
  }
]