Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-43782: [CWD-5888] Crowd DC Critical Security Misconfiguration Vulnerability - CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd’s REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

CVE
#vulnerability#auth
  • **Type: ** Public Security Vulnerability
  • **Priority: ** Low

  • Resolution: Fixed

  • Affects Version/s: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.5, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.1.5, 3.1.6, 3.2.5, 3.3.2, 3.2.6, 3.2.7, 3.2.8, 3.2.11, 4.0.0, 4.1.0, 4.0.2, 4.2.0, 4.0.3, 4.1.2, 4.0.4, 4.1.3, 4.2.1, 4.3.0, 4.1.5, 4.2.2, 4.1.6, 4.1.8, 4.1.9, 4.2.3, 4.1.10, 4.2.4, 4.3.5, 4.2.5, 4.3.7, 4.3.8, 4.4.0, 4.4.1, 4.4.2, 5.0.0, 5.0.1, 4.3.9, 4.4.3, 5.0.2

  • Component/s: None

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowd’s REST API under the usermanagement path.

This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is none by default.

The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3

Affected versions:

  • 3.x.x
  • 4.x.x < 4.4.4
  • 5.x.x < 5.0.3

Fixed versions:

  • 4.4.4
  • 5.0.3

Mitigation/Workaround:

To remediate this vulnerability, update each affected product installation to a fixed version listed above.

If you’re unable to upgrade Crowd, a temporary mitigation is to remove or validate any Remote Addresses for crowd application in the Crowd product. You can navigate to the Remote Address configuration by following the document here, and remove any remote addresses accordingly.

Additionally, change password for the crowd application to a strong password especially if a remote address is necessary.

For additional details, please see full advisory here: https://confluence.atlassian.com/x/UXurRQ

Related news

Atlassian's Jira Software Found Vulnerable to Critical Authentication Vulnerability

Atlassian has released fixes to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances. The vulnerability is tracked as CVE-2023-22501 (CVSS score: 9.4) and has been described as a case of broken authentication with low attack complexity. "An

Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products. The issues, tracked as CVE-2022-43781 and CVE-2022-43782, are both rated 9 out of 10 on the CVSS vulnerability scoring system. CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center,

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907