Headline
CVE-2021-43954: [FE-7384] CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission’, to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.
Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission’, to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability in the DefaultRepositoryAdminService class.
When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.
The affected versions are before version 4.8.9.
Affected versions:
- version < 4.8.9
Fixed versions:
- 4.8.9