Main Vulnerability Database Vulnerabilities #VU41121

#VU41121 Improper Authentication in Crowd Server - CVE-2017-18106

Published: March 29, 2019 / Updated: August 9, 2020

Vulnerability identifier: #VU41121

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-18106

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Crowd Server

Software vendor:
Atlassian

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.

Remediation

Install update from vendor's website.

External links

https://jira.atlassian.com/browse/CWD-5061

#VU41121 Improper Authentication in Crowd Server - CVE-2017-18106

Description

Remediation

External links

Please verify you're human