#VU69412 Improper access control in Crowd - CVE-2022-43782
Vulnerability identifier: #VU69412
Vulnerability risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Crowd
Server applications /
Directory software, identity management
Vendor: Atlassian
Description
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a security misconfiguration. A remote attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check can access privileged endpoints in Crowd's REST API under the usermanagement path and compromise the affected application.
The vulnerability exists only under the following conditions:
- the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.
- an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Crowd: 3.0 - 3.0.5, 3.1 - 3.1.6, 3.2 - 3.2.8, 3.3 - 3.3.6, 3.4 - 3.4.6, 3.5.0 - 3.5.1, 3.6.0 - 3.6.2, 3.7.0 - 3.7.2, 4.0.0 - 4.0.5, 4.1.0 - 4.1.10, 4.2.0 - 4.2.5, 4.3.0 - 4.3.9, 4.4.0 - 4.4.3, 5.0 - 5.0.2
External links
https://jira.atlassian.com/browse/CWD-5888
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
