Vulnerability Details : CVE-2018-20238
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
Products affected by CVE-2018-20238
- cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-20238
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-20238
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST |
CWE ids for CVE-2018-20238
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-20238
-
http://www.securityfocus.com/bid/107036
Atlassian Crowd CVE-2018-20238 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://jira.atlassian.com/browse/CWD-5361
[CWD-5361] Insufficient Session Expiration of user sessions - CVE-2018-20238 - Create and track feature requests for Atlassian products.Vendor Advisory
Jump to