Insecure Direct Object Reference in Atlassian Fisheye and Crucible
CVE-2020-29446

5.3MEDIUM

Key Information:

Vendor: Atlassian
Status: Fisheye; Crucible
Vendor: CVE Published:; 18 January 2021

Summary

The vulnerability identified in certain versions of Atlassian Fisheye and Crucible consists of an Insecure Direct Object Reference (IDOR) that enables remote attackers to access local files through the WEB-INF directory. This exposure occurs in versions prior to 4.8.5, allowing unauthorized data access that can lead to further security breaches.

Affected Version(s)

Crucible < 4.8.5

Fisheye < 4.8.5

References

https://jira.atlassian.com/browse/CRUC-8496

x_refsource_MISC

https://jira.atlassian.com/browse/FE-7326

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 18, 2021
Vulnerability Reserved
Dec 1, 2020