Main Vulnerability Database Vulnerabilities #VU41121

Improper Authentication in Crowd Server - CVE-2017-18106

Published: March 29, 2019 / Updated: August 9, 2020

Vulnerability identifier: #VU41121

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-18106

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Atlassian

Affected software:
Crowd Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.

How to mitigate CVE-2017-18106

Install update from vendor's website.

Sources

https://jira.atlassian.com/browse/CWD-5061

Improper Authentication in Crowd Server - CVE-2017-18106

Detailed vulnerability description

How to mitigate CVE-2017-18106

Sources

Please verify you're human