Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5888

Crowd DC Critical Security Misconfiguration Vulnerability - CVE-2022-43782

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: Low Low
    • 5.1.0, 4.4.4, 5.0.3
    • 3.0.0, (51)
      3.0.1, 3.0.2, 3.0.3, 3.0.5, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.1.5, 3.1.6, 3.2.5, 3.3.2, 3.2.6, 3.2.7, 3.2.8, 3.2.11, 4.0.0, 4.1.0, 4.0.2, 4.2.0, 4.0.3, 4.1.2, 4.0.4, 4.1.3, 4.2.1, 4.3.0, 4.1.5, 4.2.2, 4.1.6, 4.1.8, 4.1.9, 4.2.3, 4.1.10, 4.2.4, 4.3.5, 4.2.5, 4.3.7, 4.3.8, 4.4.0, 4.4.1, 4.4.2, 5.0.0, 5.0.1, 4.3.9, 4.4.3, 5.0.2
    • None
    • 9.1
    • Critical
    • CVE-2022-43782
    • Crowd Data Center, Crowd Server

      Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowd's REST API under the usermanagement path. 

      This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is none by default.

      The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

      Affected versions:

      • 3.x.x
      • 4.x.x < 4.4.4
      • 5.x.x < 5.0.3

      Fixed versions:

      • 4.4.4
      • 5.0.3
      • 5.1.0

       

      Mitigation/Workaround:

      To remediate this vulnerability, update each affected product installation to a fixed version listed above.

      If you’re unable to upgrade Crowd, a temporary mitigation is to remove or validate any Remote Addresses for crowd application in the Crowd product. You can navigate to the Remote Address configuration by following the document here, and remove any remote addresses accordingly.

      Additionally, change password for the crowd application to a strong password especially if a remote address is necessary.

       

      For additional details, please see full advisory here: https://confluence.atlassian.com/x/UXurRQ

       

            [CWD-5888] Crowd DC Critical Security Misconfiguration Vulnerability - CVE-2022-43782

            UB made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 810086 ]
            Prerana Shenoy made changes -
            Affected Product(s) New: Crowd Data Center,Crowd Server [ 18172, 18173 ]
            UB made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 714548 ]
            Daniel Serkowski made changes -
            Remote Link Original: This issue links to "Page (Confluence)" [ 707365 ]
            Daniel Serkowski made changes -
            Description Original: Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. 

            This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is none by default.

            The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

            *Affected versions:*
             * 3.x.x
             * 4.x.x < 4.4.4
             * 5.x.x < 5.0.3

            *Fixed versions:*
             * 4.4.4
             * 5.0.3

             

            *Mitigation/Workaround:*

            To remediate this vulnerability, update each affected product installation to a fixed version listed above.

            If you’re unable to upgrade Crowd, a temporary mitigation is to remove or validate any Remote Addresses for {{crowd}} application in the Crowd product. You can navigate to the Remote Address configuration by following the document [here|https://confluence.atlassian.com/crowd/specifying-an-application-s-address-or-hostname-25788433.html], and remove any remote addresses accordingly.

            Additionally, change password for the {{crowd}} application to a strong password especially if a remote address is necessary.

             

            For additional details, please see full advisory here: [https://confluence.atlassian.com/x/UXurRQ]

                          		New: Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. 

            This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is none by default.

            The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

            *Affected versions:*
             * 3.x.x
             * 4.x.x < 4.4.4
             * 5.x.x < 5.0.3

            *Fixed versions:*
             * 4.4.4
             * 5.0.3
             * 5.1.0

             

            *Mitigation/Workaround:*

            To remediate this vulnerability, update each affected product installation to a fixed version listed above.

            If you’re unable to upgrade Crowd, a temporary mitigation is to remove or validate any Remote Addresses for {{crowd}} application in the Crowd product. You can navigate to the Remote Address configuration by following the document [here|https://confluence.atlassian.com/crowd/specifying-an-application-s-address-or-hostname-25788433.html], and remove any remote addresses accordingly.

            Additionally, change password for the {{crowd}} application to a strong password especially if a remote address is necessary.

             

            For additional details, please see full advisory here: [https://confluence.atlassian.com/x/UXurRQ]

             
            rtkachuk (Inactive) made changes -
            Fix Version/s New: 5.1.0 [ 100694 ]
            Security Metrics Bot made changes -
            CVE ID New: CVE-2022-43782
            Daniel Serkowski made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 707687 ]
            Daniel Serkowski made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 707365 ]
            Chris Tao (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: