Description


The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

Related CPE's



References


https://jira.atlassian.com/browse/CRUC-8520

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/FE-7384

Issue TrackingVendor Advisory

Weaknesses



CWE-918

CVSS impact metrics


CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information


Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-03-14T02:15:08.197

3 years ago

Last modified

2022-03-18T19:13:11.167

3 years ago