Auth bypass in Atlassian Crowd

CVE-2017-16858

The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a d…

Vulnerability class: Broken Access Control

EPSS: 0.001 (31.8th percentile) — read the EPSS interpretation.

Affected products

Atlassian Crowd — versions from 1.5.0 before 3.1.2

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

jira.atlassian.com/browse/CWD-5009 (x_refsource_CONFIRM)