CVE-2021-43954

Summary

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

Affected Software

VendorProductVersion RangeStatus
AtlassianFisheyeunspecified < 4.8.9affected
AtlassianCrucibleunspecified < 4.8.9affected

Weaknesses

  • Server Side Request Forgery (SSRF)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References