Description

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

Related CPE's

a

atlassian

crucible

Vulnerable

a

atlassian

fisheye

Vulnerable

References

https://jira.atlassian.com/browse/CRUC-8520

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/FE-7384

Issue TrackingVendor Advisory

Weaknesses

[email protected]

Primary
CWE-918

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-03-14T02:15:08.197

3 years ago

Last modified

2022-03-18T19:13:11.167

3 years ago