CVE-2017-18106
HIGHAtlassian Crowd < 2.9.1 - Authenticated Session Hijacking via Identifier Hash Collision
Title source: llmDescription
The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/CWD-5061
Scores
CVSS v3
7.5
EPSS
0.0054
EPSS Percentile
67.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
atlassian/crowd
< 2.9.1
Published
Mar 29, 2019
Tracked Since
Feb 18, 2026