The version of Atlassian Crowd installed on the remote host is 3.x, 4.x prior to 4.4.4, or 5.x prior to 5.0.3. It is, therefore, affected by a security bypass vulnerability due to security misconfiguration. An unauthenticated, remote attacker can exploit this by authenticating as the crowd application via the security misconfiguration, and calling privileged endpoints in Crowd’s REST API under the {{usermanagement}} path.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.Read More