CVE-2021-43957: 
Atlassian Fisheye & Crucible vulnerability analysis and mitigation

Affected versions of Atlassian Fisheye & Crucible before version 4.8.9 contained an Insecure Direct Object References (IDOR) vulnerability that allowed remote attackers to browse local files via the WEB-INF directory. This vulnerability (CVE-2021-43957) was discovered as a bypass for a previous vulnerability (CVE-2020-29446) due to a lack of URL decoding (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The issue stems from improper URL decoding in the WEB-INF directory access controls, which allowed attackers to bypass the previous fix implemented for CVE-2020-29446 (NVD).

This vulnerability allows remote attackers to access and browse local files through the WEB-INF directory, potentially exposing sensitive system information and configurations. The high confidentiality impact (C:H) in the CVSS score indicates that the vulnerability could lead to total information disclosure, with all system files being revealed to the attacker (NVD).

The vulnerability has been fixed in Atlassian Fisheye & Crucible version 4.8.9. Users running affected versions (< 4.8.9) should upgrade to version 4.8.9 or later to mitigate this security risk (Atlassian Issue).