This High severity BASM (Broken Authentication & Session Management) vulnerability was introduced in version 4.9.0 of Crucible Server.

This BASM (Broken Authentication & Session Management) vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an unauthenticated attacker to perform actions as another user which has low impact to confidentiality, low impact to integrity, low impact to availability, and requires no user interaction.

Atlassian recommends that Crucible Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

• Crucible Server 4.9: Upgrade to a release greater than or equal to 4.9.11

See the release notes (https://confluence.atlassian.com/crucible/crucible-releases-298977378.html). You can download the latest version of Crucible Server from the download center (https://www.atlassian.com/software/crucible/download-archives).

The National Vulnerability Database provides the following description for this vulnerability: Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".