Vulnerabilities > Atlassian > Crucible > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-07-20 CVE-2022-26136 Improper Authentication vulnerability in Atlassian products
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps.
network
low complexity
atlassian CWE-287
critical
9.8
2022-03-16 CVE-2021-43958 Improper Restriction of Excessive Authentication Attempts vulnerability in Atlassian Crucible
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.
network
low complexity
atlassian CWE-307
critical
9.8
2018-02-01 CVE-2017-16861 Unspecified vulnerability in Atlassian Fisheye
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur.
network
low complexity
atlassian
critical
9.8
2017-11-29 CVE-2017-14591 Argument Injection or Modification vulnerability in Atlassian Crucible
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
network
high complexity
atlassian CWE-88
critical
9.0
2012-05-22 CVE-2012-2926 Unspecified vulnerability in Atlassian products
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
network
low complexity
atlassian
critical
9.1