CVE-2022-43782

Name of the Vulnerable Software and Affected Versions Atlassian Crowd versions 3.x.x through 5.x.x before 5.0.3 Atlassian Crowd versions 4.x.x before 4.4.4

Description The issue is related to errors during the authentication procedure in the Atlassian Crowd data processing product's REST API. This can allow a remote attacker to elevate their privileges. The vulnerability can be exploited by calling privileged endpoints in Crowd's REST API under the usermanagement path. However, exploitation is limited to IPs specified in the crowd application allowlist in the Remote Addresses configuration, which is empty by default.

Recommendations For versions 3.x.x, update to a version after 5.0.3 to resolve the issue. For versions 4.x.x before 4.4.4, update to version 4.4.4 or later to resolve the issue. For versions 5.x.x before 5.0.3, update to version 5.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the usermanagement path in the REST API to minimize the risk of exploitation.