CVE-2017-16858

CWE-863Incorrect AuthorizationCWE-287Improper Authentication3 documents3 sources
Severity
6.8MEDIUM
EPSS
0.1%
top 67.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Atlassian Crowd
Timeline
PublishedJan 31
Latest updateMay 13

Description

The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was poss

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages2 packages

NVDatlassian/crowd1.5.03.1.2
CVEListV5atlassian/crowdfrom 1.5.0 before 3.1.2

🔴Vulnerability Details

2
GHSA
GHSA-p3gx-g437-gw6c: The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 12022-05-13
CVEList
CVE-2017-16858: The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 12018-01-31
CVE-2017-16858 (MEDIUM CVSS 6.8) | The 'crowd-application' plugin modu | cvebase.io