[%22Issue] CVE-2021-43957: Bypass for CVE-2020-29446 (Local file disclosure / path traversal within WEB-INF) - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 4.8.9
Affects Version/s: 4.8.8
Component/s: None
Labels:

CVSS Score:
5.8
CVSS Severity:
Medium
CVE ID:
CVE-2021-43957

Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9.

Affected versions:

version < 4.8.9

Fixed versions:

4.8.9

is related to

CRUC-8496 Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

Published

FE-7326 Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

Published

relates to

CRUC-8524 CVE-2021-43957: Bypass for CVE-2020-29446 (Local file disclosure / path traversal within WEB-INF)

Published

David Black added a comment - 14/Mar/2022 5:10 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 5.8 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

David Black added a comment - 14/Mar/2022 5:10 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.8 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 07/Mar/2022 8:02 AM

Updated:: 09/Nov/2023 9:44 AM

Resolved:: 14/Mar/2022 5:11 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[FE-7388] CVE-2021-43957: Bypass for CVE-2020-29446 (Local file disclosure / path traversal within WEB-INF)

Collapse comment: David Black added a comment - 14/Mar/2022 5:10 AM

Expand comment: David Black added a comment - 14/Mar/2022 5:10 AM

People

Dates