Vulnerability identifier: #VU31158
Vulnerability risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-384
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Crowd
Server applications /
Directory software, identity management
Vendor: Atlassian
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Crowd: 3.3.0 - 3.3.3
External links
http://www.securityfocus.com/bid/107036
http://jira.atlassian.com/browse/CWD-5361
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.