Lucene search

AtlassianCVELIST:CVE-2022-43782

HistoryNov 17, 2022 - 12:00 a.m.

CVE-2022-43782

2022-11-1700:00:01

atlassian

www.cve.org

atlassian crowd

security misconfiguration

unauthorized access

rest api

ip allowlist

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.2%

JSON

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd’s REST API under the {{usermanagement}} path.

This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.

The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

CNA Affected

[
  {
    "vendor": "Atlassian",
    "product": "Crowd Data Center",
    "versions": [
      {
        "version": "before 3.0.0",
        "status": "unaffected"
      },
      {
        "version": "before 4.4.4",
        "status": "affected"
      },
      {
        "version": "before 5.0.3",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Atlassian",
    "product": "Crowd Server",
    "versions": [
      {
        "version": "before 3.0.0",
        "status": "unaffected"
      },
      {
        "version": "before 4.4.4",
        "status": "affected"
      },
      {
        "version": "before 5.0.3",
        "status": "affected"
      }
    ]
  }
]

References

jira.atlassian.com/browse/CWD-5888