Insecure Direct Object Reference in Atlassian Fisheye & Crucible
CVE-2021-43957

7.5HIGH

Key Information:

Vendor: Atlassian
Status: Fisheye; Crucible
Vendor: CVE Published:; 16 March 2022

Summary

Certain versions of Atlassian Fisheye & Crucible are susceptible to an Insecure Direct Object Reference vulnerability that allows remote attackers to gain unauthorized access to sensitive local files. This flaw emerges from a lack of URL decoding in the WEB-INF directory, which undermines prior fixes intended to mitigate similar threats. Users of affected versions should update to the latest release to protect against potential exploitation.

Affected Version(s)

Crucible < 4.8.9

Fisheye < 4.8.9

References

https://jira.atlassian.com/browse/FE-7388

x_refsource_MISC

https://jira.atlassian.com/browse/CRUC-8524

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 16, 2022
Vulnerability Reserved
Nov 16, 2021