CVE-2021-43954

CVE Database · CVE-2021-43954

CVE-2021-43954

· MEDIUMModified

CVSS v3.1

4.3

EPSS

0.74%

Published

Mar 13, 2022

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-918

Affected Products (2)

atlassian · crucible (up to 4.8.9)vulnerable

atlassian · fisheye (up to 4.8.9)vulnerable

References (4)

https://jira.atlassian.com/browse/CRUC-8520

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/FE-7384

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/CRUC-8520

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/FE-7384

Issue TrackingVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs