Server-Side Request Forgery Vulnerability in Fisheye and Crucible by Atlassian
CVE-2021-43954

4.3MEDIUM

Key Information:

Vendor: Atlassian
Status: Fisheye; Crucible
Vendor: CVE Published:; 14 March 2022

Summary

The DefaultRepositoryAdminService class in Atlassian's Fisheye and Crucible versions before 4.8.9 contains a server-side request forgery (SSRF) vulnerability. This flaw enables remote attackers, granted 'can add repository' permissions, to exploit the system and enumerate internal network and filesystem resources. Attackers can craft specially designed requests that leverage this weakness, potentially revealing sensitive information about the internal architecture.

Affected Version(s)

Crucible < 4.8.9

Fisheye < 4.8.9

References

https://jira.atlassian.com/browse/FE-7384

x_refsource_MISC

https://jira.atlassian.com/browse/CRUC-8520

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2022
Vulnerability Reserved
Nov 16, 2021