Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistAtlassianCVELIST:CVE-2017-16858
HistoryJan 31, 2018 - 2:00 p.m.

CVE-2017-16858

2018-01-3114:00:00
CWE-863
atlassian
www.cve.org
3

EPSS

0.001

Percentile

26.9%

JSON

The β€˜crowd-application’ plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was possible to authenticate REST requests using the credentials of the user coming from directory 2 and impersonate the user from directory 1.

CNA Affected

[
  {
    "product": "Crowd",
    "vendor": "Atlassian",
    "versions": [
      {
        "status": "affected",
        "version": "from 1.5.0 before 3.1.2"
      }
    ]
  }
]

Related

cve 1
atlassian 2
nvd 1
prion 1
cve
cve
CVE-2017-16858
2018-01-31 14:29:00
atlassian
atlassian
REST endpoint user impersonation using authentication module functionality - CVE-2017-16858
2017-12-12 08:33:37
REST endpoint user impersonation using authentication module functionality - CVE-2017-16858
2017-12-12 08:33:37
nvd
nvd
CVE-2017-16858
2018-01-31 14:29:00
prion
prion
Design/Logic Flaw
2018-01-31 14:29:00

EPSS

0.001

Percentile

26.9%

JSON
Related for CVELIST:CVE-2017-16858
cve1atlassian2nvd1prion1