CVE-2017-18106

7.5HIGH

Key Information:

Vendor: Atlassian
Status: Crowd
Vendor: CVE Published:; 29 March 2019

Summary

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.

Affected Version(s)

Crowd < 2.9.1

References

https://jira.atlassian.com/browse/CWD-5061

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 29, 2019
Vulnerability Reserved
Feb 1, 2018