{"api_version":"1","generated_at":"2026-07-11T12:56:42+00:00","cve":"CVE-2018-20238","urls":{"html":"https://cve.report/CVE-2018-20238","api":"https://cve.report/api/cve/CVE-2018-20238.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-20238","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-20238"},"summary":{"title":"CVE-2018-20238","description":"Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2019-02-13 18:29:00","updated_at":"2019-02-26 15:42:00"},"problem_types":["CWE-384"],"metrics":[],"references":[{"url":"https://jira.atlassian.com/browse/CWD-5361","name":"https://jira.atlassian.com/browse/CWD-5361","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"[CWD-5361] Insufficient Session Expiration of user sessions - CVE-2018-20238 - Create and track feature requests for Atlassian products.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/107036","name":"107036","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Atlassian Crowd CVE-2018-20238 Authentication Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-20238","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20238","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"20238","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"crowd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"20238","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"crowd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2019-02-13T00:00:00","ID":"CVE-2018-20238","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Crowd","version":{"version_data":[{"version_affected":"<","version_value":"3.2.7"},{"version_affected":">=","version_value":"3.3.0"},{"version_affected":"<","version_value":"3.3.4"}]}}]},"vendor_name":"Atlassian"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Insufficient Session Expiration"}]}]},"references":{"reference_data":[{"name":"https://jira.atlassian.com/browse/CWD-5361","refsource":"CONFIRM","url":"https://jira.atlassian.com/browse/CWD-5361"},{"name":"107036","refsource":"BID","url":"http://www.securityfocus.com/bid/107036"}]}},"nvd":{"publishedDate":"2019-02-13 18:29:00","lastModifiedDate":"2019-02-26 15:42:00","problem_types":["CWE-384"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3.0","versionEndExcluding":"3.3.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*","versionEndExcluding":"3.2.7","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"20238","Ordinal":"140505","Title":"CVE-2018-20238","CVE":"CVE-2018-20238","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"20238","Ordinal":"1","NoteData":"Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"20238","Ordinal":"2","NoteData":"2019-02-13","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"20238","Ordinal":"3","NoteData":"2019-02-16","Type":"Other","Title":"Modified"}]}}}