CVE-2022-43782
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path.
This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.
The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Atlassian | Crowd Data Center | before 3.0.0 | unaffected |
| Atlassian | Crowd Data Center | before 4.4.4 | affected |
| Atlassian | Crowd Data Center | before 5.0.3 | affected |
| Atlassian | Crowd Server | before 3.0.0 | unaffected |
| Atlassian | Crowd Server | before 4.4.4 | affected |
| Atlassian | Crowd Server | before 5.0.3 | affected |
Weaknesses
- Security Misconfiguration
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.