CVE-2021-43954

4.3MEDIUM

Key Information

Vendor: Atlassian
Status: Fisheye; Crucible
Vendor: CVE Published:; 14 March 2022

Summary

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

Affected Version(s)

Fisheye < 4.8.9

Crucible < 4.8.9

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Mar 14, 2022
Vulnerability Reserved.
Nov 16, 2021

Collectors

NVD DatabaseMitre Database