An unauthenticated user is able to set the admin password of Crucible to any value, gaining admin access to the Crucible instance as a result.
The vulnerability affects Crucible version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4, 3.5.0.
For additional details see the full advisory.