Main Vulnerability Database SB2019032909

SB2019032909 - Improper Authentication in Atlassian Crowd

Published: March 29, 2019 Updated: August 9, 2020

Security Bulletin ID SB2019032909

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2017-18106)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.

Remediation

Install update from vendor's website.

References

https://jira.atlassian.com/browse/CWD-5061