CVE-2022-43782Improper Authentication in Atlassian Crowd

CWE-287Improper Authentication3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.8%
top 25.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Atlassian CrowdAtlassian Crowd Data CenterAtlassian Crowd Server
Timeline
PublishedNov 17

Description

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDatlassian/crowd3.0.04.4.4+1
CVEListV5atlassian/crowd_serverbefore 4.4.4, before 5.0.3+1
CVEListV5atlassian/crowd_data_centerbefore 4.4.4, before 5.0.3+1

Patches

Patch: jira.atlassian.comPatch: jira.atlassian.com

🔴Vulnerability Details

2
GHSA
GHSA-j835-6ff4-p3mc: Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability t2022-11-17
CVEList
CVE-2022-43782: Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability t2022-11-17
CVE-2022-43782 — Improper Authentication in Atlassian | cvebase