CVE-2021-43954

4.3MEDIUM

Key Information:

Vendor: Atlassian
Status: Fisheye; Crucible
Vendor: CVE Published:; 14 March 2022

Summary

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

Affected Version(s)

Crucible < 4.8.9

Fisheye < 4.8.9

References

https://jira.atlassian.com/browse/FE-7384

x_refsource_MISC

https://jira.atlassian.com/browse/CRUC-8520

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2022
Vulnerability Reserved
Nov 16, 2021