Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8496

Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

XMLWordPrintable

    • 5
    • Medium
    • CVE-2020-29446

      Affected versions of Atlassian Dev Tools allow remote attackers
      to browse local files via an Insecure Direct Object References (IDOR) vulnerability in WEB-INF in Fisheye/Crucible.

      The affected versions are before version 4.8.5.

       

      Affected versions:

      • version < 4.8.5

      Fixed versions:

      • 4.8.5
      • 4.9.0  

            [CRUC-8496] Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

            AB added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment. 

            CVSS v3 score: 5.8 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            AB added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment.  CVSS v3 score: 5.8 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: