Description
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.
References
https://jira.atlassian.com/browse/CRUC-8520
Issue TrackingVendor Advisory
https://jira.atlassian.com/browse/FE-7384
Issue TrackingVendor Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2022-03-14T02:15:08.197
3 years agoLast modified
2022-03-18T19:13:11.167
3 years ago