Atlassian has released a security update for a critical vulnerability (CVE-2022-43782) in Crowd Server and Data Center.
Atlassian Crowd is a centralized identity management application that handles authentication and authorization for web-based applications. This helps in managing users from multiple directories such as Active Directory, LDAP, OpenLDAP, or Microsoft Azure AD. This also controls application authentication permissions in one single location.
CVE-2022-43782 is a security misconfiguration vulnerability that exists in multiple versions of Crowd Server and Data Center. To exploit this vulnerability, an attacker needs to connect from an IP in the allow list. This vulnerability allows an attacker to authenticate as the Crowd application after bypassing a password check. As a result, the attacker would be able to exploit the usermanagement path of Crowd’s REST API to access privileged endpoints.
All Crowd versions released after 3.0.0 are affected by this vulnerability only if both of the following conditions are met:
- The vulnerability affects only new installations of affected versions: if you upgrade from an older version, for example, version 2.9.1 to 3.0.0 or later, your instance is not affected.
- A new installation is an instance of Crowd that is originally downloaded from the downloads page and has not been upgraded since.
- An IP address has been added to the Remote Address configuration of the Crowd application (which is none by default in versions after 3.0.0).
The complete list of affected versions includes:
- Crowd 3.0.0 – Crowd 3.7.2
- Crowd 4.0.0 – Crowd 4.4.3
- Crowd 5.0.0 – Crowd 5.0.2
Customers should update to the fixed versions mentioned below:
- Crowd 5.0.3 or later
- Crowd 4.4.4 or later
For more information, please refer to the Atlassian Security Advisory.
Qualys customers can scan their devices with QID 730672 to detect vulnerable assets.
Continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.