Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-20238

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.

Published

2019-02-13T18:29:00.697

Last Modified

2024-11-21T04:01:08.743

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-384

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	atlassian	crowd	< 3.2.7	Yes
Application	atlassian	crowd	< 3.3.4	Yes

References

http://www.securityfocus.com/bid/107036 Third Party Advisory, VDB Entry ([email protected])
https://jira.atlassian.com/browse/CWD-5361 Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/107036 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/CWD-5361 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)