{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-43782","assignerOrgId":"f08a6ab8-ed46-4c22-8884-d911ccfe3c66","state":"PUBLISHED","assignerShortName":"atlassian","requesterUserId":"4ceb4895-2afc-4c29-bf72-c2e04b367c52","dateReserved":"2022-10-26T14:49:11.115Z","datePublished":"2022-11-17T00:00:01.315Z","dateUpdated":"2024-10-02T15:05:47.174Z"},"containers":{"cna":{"affected":[{"vendor":"Atlassian","product":"Crowd Data Center","versions":[{"version":"before 3.0.0","status":"unaffected"},{"version":"before 4.4.4","status":"affected"},{"version":"before 5.0.3","status":"affected"}]},{"vendor":"Atlassian","product":"Crowd Server","versions":[{"version":"before 3.0.0","status":"unaffected"},{"version":"before 4.4.4","status":"affected"},{"version":"before 5.0.3","status":"affected"}]}],"descriptions":[{"lang":"en","value":"Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path.\n\nThis vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.\n\nThe affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3"}],"problemTypes":[{"descriptions":[{"description":"Security Misconfiguration","lang":"en","type":"Security Misconfiguration"}]}],"references":[{"url":"https://jira.atlassian.com/browse/CWD-5888"}],"credits":[{"lang":"en","value":"Ashish Kotha"}],"providerMetadata":{"orgId":"f08a6ab8-ed46-4c22-8884-d911ccfe3c66","shortName":"atlassian","dateUpdated":"2022-11-17T00:00:01.315Z"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T13:40:06.314Z"},"title":"CVE Program Container","references":[{"url":"https://jira.atlassian.com/browse/CWD-5888","tags":["x_transferred"]}]},{"affected":[{"vendor":"atlassian","product":"crowd","cpes":["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"3.0.0","status":"affected","lessThan":"4.4.4","versionType":"custom"},{"version":"5.0.0","status":"affected","lessThan":"5.0.3","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-10-02T15:01:35.451793Z","id":"CVE-2022-43782","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-02T15:05:47.174Z"}}]}}