CVE-2017-18106
low-risk
Published 2019-03-29
The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.
Do I need to act?
-
0.54% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (2)
Issue Tracking
https://jira.atlassian.com/browse/CWD-5061
Issue Tracking
https://jira.atlassian.com/browse/CWD-5061
29
/ 100
low-risk
Severity
22/34 · High
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal