CVE-2021-43954: SSRF
First published: Mon Mar 14 2022(Updated: )
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Crucible | <4.8.9 | |
| Atlassian FishEye | <4.8.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-43954?
CVE-2021-43954 is a vulnerability in the DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 that allows remote attackers to enumerate internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.
Which software is affected by CVE-2021-43954?
The Atlassian Crucible and Atlassian FishEye software versions up to exclusive 4.8.9 are affected by CVE-2021-43954.
What is the severity of CVE-2021-43954?
The severity of CVE-2021-43954 is medium with a severity value of 4.3.
How can remote attackers exploit CVE-2021-43954?
Remote attackers with 'can add repository permission' can exploit CVE-2021-43954 to enumerate the existence of internal network and filesystem resources through a Server-Side Request Forgery (SSRF) vulnerability.
Are there any references for CVE-2021-43954?
Yes, the following references provide more information on CVE-2021-43954: [Link 1](https://jira.atlassian.com/browse/CRUC-8520), [Link 2](https://jira.atlassian.com/browse/FE-7384).
- collector/nvd-index
- vendor/atlassian
- canonical/atlassian crucible
- canonical/atlassian fisheye