Jump to content

Crowd Security Advisory (November 2022)

Jimi Wikman

Recommended Posts

Summary: CVE-2022-43782 - Critical security misconfiguration vulnerability
Advisory Release Date: 16 Nov 2022 10 AM PDT (Pacific Time, -7 hours)
Product: Crowd Server and Data Center
CVE ID(s): CVE-2022-43782
More information: https://confluence.atlassian.com/crowd/crowd-security-advisory-november-2022-1168866129.html


Summary of vulnerability

This advisory discloses a critical-severity security misconfiguration vulnerability, which was introduced in Crowd 3.0.0. All versions released after 3.0.0 are affected but only if both of the following conditions are met:

  • the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.

    • A new installation is defined by an instance of Crowd that is the same version that you originally downloaded from the downloads page and has not been upgraded since

  • an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd's REST API under the usermanagement path. As explained above, it can only be exploited by IPs specified under the crowd application’s allowlist in the Remote Addresses configuration. To remediate the vulnerability, Atlassian recommends that you upgrade your instance to one of the fixed versions listed in the ‘Fixed Versions' section below.

This issue can be tracked here:


Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Affected versions

All versions of Crowd released after 3.0.0 are affected, which means all new installations running any of the following versions:

  • Crowd 3.0.0 - Crowd 3.7.2

  • Crowd 4.0.0 - Crowd 4.4.3

  • Crowd 5.0.0 - Crowd 5.0.2

As mentioned earlier, only new installations are vulnerable. For example, if you upgraded from version 2.9.1 to 3.0.0, your instance is not affected. But in this case, any default remote addresses that were in version 2.9.1 will be carried over to the instance running version 3.0.0. These can be removed from the Remote Address configuration for the crowd application as well.

Other Atlassian Data Center and Server products that rely on Embedded Crowd for user management are not affected.

Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...