CVE-2022-43782

Summary

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path.

This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.

The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

Affected Software

VendorProductVersion RangeStatus
AtlassianCrowd Data Centerbefore 3.0.0unaffected
AtlassianCrowd Data Centerbefore 4.4.4affected
AtlassianCrowd Data Centerbefore 5.0.3affected
AtlassianCrowd Serverbefore 3.0.0unaffected
AtlassianCrowd Serverbefore 4.4.4affected
AtlassianCrowd Serverbefore 5.0.3affected

Weaknesses

  • Security Misconfiguration

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References