Remote Code Execution Flaw in Atlassian Crowd Administration SMTP Configuration
CVE-2017-18108

7.2HIGH

Key Information:

Vendor
Atlassian
Status
Crowd
Vendor
CVE Published:
29 March 2019

Summary

The Atlassian Crowd administration SMTP configuration is susceptible to a remote code execution vulnerability. This issue affects versions prior to 2.10.2, where an attacker with administrative rights can exploit JNDI injection vulnerabilities to execute arbitrary code. This security flaw emphasizes the crucial need for updating to the latest version and securing administration access to mitigate potential threats.

Affected Version(s)

Crowd < 2.10.2

References

https://jira.atlassian.com/browse/CWD-5062
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.