CVE-2021-43958 - OpenCVE

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Atlassian	Crucible Fisheye

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:crucible::::::::
	cpe:2.3:a:atlassian:fisheye::::::::

No data.

References

Link	Providers
https://jira.atlassian.com/browse/CRUC-8523
https://jira.atlassian.com/browse/FE-7387

History

No history.

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2022-03-16T00:55:19.574907Z

Updated: 2024-09-16T17:08:22.249Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43958

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-16T01:15:07.950

Modified: 2022-03-22T16:02:29.927

Link: CVE-2021-43958

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fisheye", "vendor": "Atlassian", "versions": [{"lessThan": "4.8.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Crucible", "vendor": "Atlassian", "versions": [{"lessThan": "4.8.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-03-14T00:00:00", "descriptions": [{"lang": "en", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-16T00:55:19", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/FE-7387"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-03-14T00:00:00", "ID": "CVE-2021-43958", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fisheye", "version": {"version_data": [{"version_affected": "<", "version_value": "4.8.9"}]}}, {"product_name": "Crucible", "version": {"version_data": [{"version_affected": "<", "version_value": "4.8.9"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Restriction of Excessive Authentication Attempts"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/FE-7387", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/FE-7387"}, {"name": "https://jira.atlassian.com/browse/CRUC-8523", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/CRUC-8523"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:17.148Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/FE-7387"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}]}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2021-43958", "datePublished": "2022-03-16T00:55:19.574907Z", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-09-16T17:08:22.249Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D4FEF8B-76B5-4DB1-BC60-FE05BB918444", "versionEndExcluding": "4.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C288EF9-2CF5-40F1-BC5E-C4C1EAE30B14", "versionEndExcluding": "4.8.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}, {"lang": "es", "value": "Varios recursos de reposo en Fisheye y Crucible versiones anteriores a 4.8.9 permit\u00edan a atacantes remotos forzar las credenciales de inicio de sesi\u00f3n de usuarios, ya que los recursos de reposo no comprobaban si los usuarios estaban m\u00e1s all\u00e1 de sus l\u00edmites m\u00e1ximos de inicio de sesi\u00f3n fallido y, por lo tanto, requer\u00edan resolver un CAPTCHA adem\u00e1s de proporcionar las credenciales de usuario para la autenticaci\u00f3n por medio de una vulnerabilidad de restricci\u00f3n inapropiada del exceso de intentos de autenticaci\u00f3n"}], "id": "CVE-2021-43958", "lastModified": "2022-03-22T16:02:29.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-16T01:15:07.950", "references": [{"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}, {"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/FE-7387"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}]}