Vulnerabilities > Atlassian > Fisheye > 2.0.4

DATE CVE VULNERABILITY TITLE RISK
2022-03-16 CVE-2021-43955 Unspecified vulnerability in Atlassian Crucible
The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability.
network
low complexity
atlassian
4.3
2022-03-16 CVE-2021-43956 Unspecified vulnerability in Atlassian Crucible
The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.
network
atlassian
4.3
2022-03-16 CVE-2021-43957 Authorization Bypass Through User-Controlled Key vulnerability in Atlassian Crucible
Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding.
network
low complexity
atlassian CWE-639
5.0
2022-03-16 CVE-2021-43958 Improper Restriction of Excessive Authentication Attempts vulnerability in Atlassian Crucible
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.
network
low complexity
atlassian CWE-307
7.5
2022-03-14 CVE-2021-43954 Server-Side Request Forgery (SSRF) vulnerability in Atlassian Crucible
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.
network
low complexity
atlassian CWE-918
4.0
2021-02-02 CVE-2020-14192 Information Exposure vulnerability in Atlassian Crucible
Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.
network
low complexity
atlassian CWE-200
4.0
2021-01-18 CVE-2020-29446 Information Exposure vulnerability in Atlassian Crucible
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory.
network
low complexity
atlassian CWE-200
5.0
2020-11-25 CVE-2020-14190 Missing Authorization vulnerability in Atlassian Crucible
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL.
network
low complexity
atlassian CWE-862
5.0
2020-11-25 CVE-2020-14191 Missing Authorization vulnerability in Atlassian Crucible
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets.
network
low complexity
atlassian CWE-862
5.0
2020-08-05 CVE-2017-18112 Information Exposure vulnerability in Atlassian Fisheye
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature.
network
low complexity
atlassian CWE-200
4.0