CVE-2021-43958

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://jira.atlassian.com/browse/CRUC-8523	Issue Tracking Vendor Advisory
https://jira.atlassian.com/browse/FE-7387	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:crucible::::::::
	cpe:2.3:a:atlassian:fisheye::::::::

History

22 Mar 2022, 16:02

Type	Values Removed	Values Added
First Time		Atlassian crucible Atlassian fisheye Atlassian
CWE		CWE-307
CPE		cpe:2.3:a:atlassian:fisheye:::::::: cpe:2.3:a:atlassian:crucible::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
References	~~(MISC) https://jira.atlassian.com/browse/FE-7387 -~~	(MISC) https://jira.atlassian.com/browse/FE-7387 - Issue Tracking, Vendor Advisory
References	~~(MISC) https://jira.atlassian.com/browse/CRUC-8523 -~~	(MISC) https://jira.atlassian.com/browse/CRUC-8523 - Issue Tracking, Vendor Advisory

16 Mar 2022, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-16 01:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-43958

Mitre link : CVE-2021-43958

CVE.ORG link : CVE-2021-43958

JSON object : View

Products Affected

atlassian

crucible
fisheye

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2021-43958", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-03-16T01:15:07.950", "references": [{"url": "https://jira.atlassian.com/browse/CRUC-8523", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/FE-7387", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@atlassian.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}, {"lang": "es", "value": "Varios recursos de reposo en Fisheye y Crucible versiones anteriores a 4.8.9 permit\u00edan a atacantes remotos forzar las credenciales de inicio de sesi\u00f3n de usuarios, ya que los recursos de reposo no comprobaban si los usuarios estaban m\u00e1s all\u00e1 de sus l\u00edmites m\u00e1ximos de inicio de sesi\u00f3n fallido y, por lo tanto, requer\u00edan resolver un CAPTCHA adem\u00e1s de proporcionar las credenciales de usuario para la autenticaci\u00f3n por medio de una vulnerabilidad de restricci\u00f3n inapropiada del exceso de intentos de autenticaci\u00f3n"}], "lastModified": "2022-03-22T16:02:29.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D4FEF8B-76B5-4DB1-BC60-FE05BB918444", "versionEndExcluding": "4.8.9"}, {"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C288EF9-2CF5-40F1-BC5E-C4C1EAE30B14", "versionEndExcluding": "4.8.9"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}