Information Disclosure Vulnerability in Atlassian Fisheye and Crucible
CVE-2020-14192

4.3MEDIUM

Key Information:

Vendor: Atlassian
Status: Fisheye; Crucible
Vendor: CVE Published:; 2 February 2021

Summary

An information disclosure vulnerability exists in affected versions of Atlassian Fisheye and Crucible due to improper handling of the x-asen response header from Atlassian Analytics. This flaw allows remote attackers to potentially access sensitive product data, such as the product's SEN (Secure Environment Number). To mitigate this risk, users are advised to update to version 4.8.4 or later.

Affected Version(s)

Crucible < 4.8.4

Fisheye < 4.8.4

References

https://jira.atlassian.com/browse/FE-7334

x_refsource_MISC

https://jira.atlassian.com/browse/CRUC-8502

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 2, 2021
Vulnerability Reserved
Jun 16, 2020