QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-16858

Back to search

CVE-2017-16858

Published: Jan 31, 2018

Modified: Sep 17, 2024

PUBLISHED

Description

The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was possible to authenticate REST requests using the credentials of the user coming from directory 2 and impersonate the user from directory 1.

VendorProductVersions

Atlassian

Crowd

affected
from 1.5.0 before 3.1.2

Weaknesses (CWE)

CWE-863

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now