[%22Issue] CVE-2021-43958: Various rest resources missing CAPTCHA for failed user login attempts - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 4.8.9
Affects Version/s: 4.8.0
Component/s: None
Labels:

CVSS Score:
7.4
CVSS Severity:
High
CVE ID:
CVE-2021-43958

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

Affected versions:

version < 4.8.9

Fixed versions:

4.8.9

relates to

CRUC-8523 CVE-2021-43958: Various rest resources missing CAPTCHA for failed user login attempts

Published

VULN-564011 Failed to load

David Black added a comment - 14/Mar/2022 5:46 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.4 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

David Black added a comment - 14/Mar/2022 5:46 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.4 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 07/Mar/2022 8:01 AM

Updated:: 09/Nov/2023 9:44 AM

Resolved:: 14/Mar/2022 5:47 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[FE-7387] CVE-2021-43958: Various rest resources missing CAPTCHA for failed user login attempts

Collapse comment: David Black added a comment - 14/Mar/2022 5:46 AM

Expand comment: David Black added a comment - 14/Mar/2022 5:46 AM

People

Dates