-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
4.8.0
-
None
-
4.3
-
Medium
-
CVE-2021-43954
Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability in the DefaultRepositoryAdminService class.
When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.
The affected versions are before version 4.8.9.
Affected versions:
- version < 4.8.9
Fixed versions:
- 4.8.9
- relates to
-
FE-7384 CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService
- Published