CVE-2022-43782

17.11.2022, 00:15

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path.

This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.

The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
atlassian	crowd	3.0.0 ≤ 𝑥 < 4.4.4
atlassian	crowd	5.0.0 ≤ 𝑥 < 5.0.3

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
atlassian	crowd	3.0.0 ≤ 𝑥 < 4.4.4	ADP
atlassian	crowd	5.0.0 ≤ 𝑥 < 5.0.3	ADP

References

https://jira.atlassian.com/browse/CWD-5888