CVE-2017-16858

CVE-2017-16858

Vendor Atlassian
Product Crowd
Weakness CWE-863 · Incorrect authorization
Published January 31, 2018
Last update September 17, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was possible to authenticate REST requests using the credentials of the user coming from directory 2 and impersonate the user from directory 1.

Key dates

02Disclosure timeline

January 31, 2018 CVE published
September 17, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-46569 OPA server Data API HTTP path injection of Rego CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope CVE-2023-7322 Nagios Log Server < 2024R1 Incorrect Authorization Granting Full API Access CVE-2025-5822 Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability CVE-2026-32050 OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass