
PEACH
Un cadre d’isolation des locataires
Affected versions of Atlassian Fisheye & Crucible before version 4.8.9 contained an Insecure Direct Object References (IDOR) vulnerability that allowed remote attackers to browse local files via the WEB-INF directory. This vulnerability (CVE-2021-43957) was discovered as a bypass for a previous vulnerability (CVE-2020-29446) due to a lack of URL decoding (NVD).
The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The issue stems from improper URL decoding in the WEB-INF directory access controls, which allowed attackers to bypass the previous fix implemented for CVE-2020-29446 (NVD).
This vulnerability allows remote attackers to access and browse local files through the WEB-INF directory, potentially exposing sensitive system information and configurations. The high confidentiality impact (C:H) in the CVSS score indicates that the vulnerability could lead to total information disclosure, with all system files being revealed to the attacker (NVD).
The vulnerability has been fixed in Atlassian Fisheye & Crucible version 4.8.9. Users running affected versions (< 4.8.9) should upgrade to version 4.8.9 or later to mitigate this security risk (Atlassian Issue).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."