CVE-2021-43958
First published: Wed Mar 16 2022(Updated: )
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Crucible | <4.8.9 | |
| Atlassian FishEye | <4.8.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this security vulnerability?
The vulnerability ID for this security vulnerability is CVE-2021-43958.
What is the severity of CVE-2021-43958?
The severity of CVE-2021-43958 is critical.
Which software versions are affected by CVE-2021-43958?
Versions of Atlassian Crucible and Atlassian FishEye before 4.8.9 are affected by CVE-2021-43958.
How can remote attackers exploit CVE-2021-43958?
Remote attackers can exploit CVE-2021-43958 by brute-forcing user login credentials, bypassing the max failed login limits, and not needing to solve a CAPTCHA.
Are there any known fixes for CVE-2021-43958?
Yes, the vulnerability can be fixed by updating Atlassian Crucible and Atlassian FishEye to version 4.8.9 or above.
- collector/nvd-index
- vendor/atlassian
- canonical/atlassian crucible
- canonical/atlassian fisheye