Vulnerability CVE-2021-43957
Published: 2022-03-16

Description:
Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9.

Type:

CWE-639

 (Authorization Bypass Through User-Controlled Key)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Atlassian -> Crucible 
Atlassian -> Fisheye 

 References:
https://jira.atlassian.com/browse/FE-7388
https://jira.atlassian.com/browse/CRUC-8524
Copyright 2024, cxsecurity.com

 

Back to Top