LDAP Password Exposure in Atlassian Crowd by Remote Administrators
CVE-2016-10740

4.9MEDIUM

Key Information:

Vendor: Atlassian
Status: Crowd
Vendor: CVE Published:; 29 January 2019

Summary

In versions of Atlassian Crowd prior to 2.10.1, an issue exists that allows remote attackers, possessing administrative privileges, to extract passwords of configured LDAP directories. This is achieved by analyzing the responses generated from specific resource requests, which compromises the security of sensitive authentication credentials.

References

https://jira.atlassian.com/browse/CWD-5060

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jan 29, 2019