Main Vulnerability Database Vulnerabilities #VU31158

Session Fixation in Crowd Server - CVE-2018-20238

Published: February 13, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU31158

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-20238

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Atlassian

Affected software:
Crowd Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.

How to mitigate CVE-2018-20238

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/107036
https://jira.atlassian.com/browse/CWD-5361

Session Fixation in Crowd Server - CVE-2018-20238

Detailed vulnerability description

How to mitigate CVE-2018-20238

Sources

Please verify you're human