Security-metrics-botCWD-5802Crowd: Multiple vulnerabilities in log4j < 1.2.7-atlassian-16
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.127 Low
EPSS
Percentile
95.4%
The version of {{log4j}} used by Crowd has been updated from version 1.2.7-atlassian-3Â to 1.2.7-atlassian-16 to address the following vulnerabilities:
[CVE-2021-4104|https://vulners.com/cve/CVE-2021-4104]
JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSAppender, nor does Atlassian provide any documentation on using JMSAppender with Crowd. Atlassian has [remediated this vulnerability by preventing external JNDI lookups|https://bitbucket.org/atlassian/log4j1/pull-requests/9] in the Atlassian version of {{{}log4j{}}}.
[CVE-2020-9493|https://vulners.com/cve/CVE-2020-9493] and [CVE-2022-23307|https://vulners.com/cve/CVE-2022-23307]
Apache Chainsaw is bundled with {{log4j}} 1.2.x, and is vulnerable to a deserialization flaw. A remote, unauthenticated attacker could exploit this to execute arbitrary code. Please note that Chainsaw is a log viewer that is designed to be executed manually. It is not required by Crowd, nor is it executed by default, nor does Atlassian provide any documentation on using Chainsaw with Crowd. Atlassian has [remediated this vulnerability by removing Chainsaw|https://bitbucket.org/atlassian/log4j1/commits/3a06f7e94efa98331a875532212a3005fd9766d0] from the Atlassian version of {{{}log4j{}}}.
[CVE-2022-23302|https://vulners.com/cve/CVE-2022-23302]
JMSSink is vulnerable to a deserialization flaw. A local attacker with privileges to update the Crowd configuration can exploit this to execute arbitrary code. Crowd is not configured to use JMSSink by default, nor does Atlassian provide any documentation on using JMSSink with Crowd. Atlassian has [remediated this vulnerability by removing JMSSink|https://bitbucket.org/atlassian/log4j1/commits/48b34334e5278dfd52b361b1ec6943ca4c3b997e] from the Atlassian version of {{{}log4j{}}}.
[CVE-2022-23305|https://vulners.com/cve/CVE-2022-23305]
JDBCAppender is vulnerable to a SQL injection flaw when configured to use the message converter ({{{}%m{}}}). A remote, unauthenticated attacker can exploit this to execute arbitrary SQL queries. Crowd is not configured to use JDBCAppender by default, nor does Atlassian provide any documentation on using JDBCAppender with Crowd. Atlassian has [remediated this vulnerability by removing JDBCAppender|https://bitbucket.org/atlassian/log4j1/commits/b933fe460d64ccfc027b4efee74a5ce1875fe3be] from the Atlassian version of {{{}log4j{}}}.
Affected versions of Crowd:
- Versions < 5.0.0
Fixed versions of Crowd:
- Versions >= 5.0.0
| CPE | Name | Operator | Version |
|---|---|---|---|
| crowd data center | le | 4.2.5 | |
| crowd data center | le | 4.3.7 | |
| crowd data center | le | 4.4.1 | |
| crowd data center | lt | 4.3.8 | |
| crowd data center | lt | 4.4.2 | |
| crowd data center | lt | 5.0.0 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.127 Low
EPSS
Percentile
95.4%