CVE-2021-43958 - Vulnerability Details - OpenCVE

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01276.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Atlassian	Crucible Fisheye

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:crucible::::::::
	cpe:2.3:a:atlassian:fisheye::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-30820	Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://jira.atlassian.com/browse/CRUC-8523
https://jira.atlassian.com/browse/FE-7387

History

Mon, 07 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2022-03-16T00:55:19.574907Z

Updated: 2024-10-04T18:55:11.181Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43958

Vulnrichment

Updated: 2024-08-04T04:10:17.148Z

NVD

Status : Modified

Published: 2022-03-16T01:15:07.950

Modified: 2024-11-21T06:30:05.290

Link: CVE-2021-43958

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Fisheye", "vendor": "Atlassian", "versions": [{"lessThan": "4.8.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Crucible", "vendor": "Atlassian", "versions": [{"lessThan": "4.8.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-03-14T00:00:00", "descriptions": [{"lang": "en", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-16T00:55:19", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/FE-7387"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-03-14T00:00:00", "ID": "CVE-2021-43958", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fisheye", "version": {"version_data": [{"version_affected": "<", "version_value": "4.8.9"}]}}, {"product_name": "Crucible", "version": {"version_data": [{"version_affected": "<", "version_value": "4.8.9"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Restriction of Excessive Authentication Attempts"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/FE-7387", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/FE-7387"}, {"name": "https://jira.atlassian.com/browse/CRUC-8523", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/CRUC-8523"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:17.148Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/FE-7387"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-307", "lang": "en", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "affected": [{"vendor": "atlassian", "product": "fisheye", "cpes": ["cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.8.9", "versionType": "custom"}]}, {"vendor": "atlassian", "product": "crucible", "cpes": ["cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.8.9", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-04T18:50:42.664622Z", "id": "CVE-2021-43958", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-04T18:55:11.181Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2021-43958", "datePublished": "2022-03-16T00:55:19.574907Z", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-10-04T18:55:11.181Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.atlassian.com/browse/FE-7387", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://jira.atlassian.com/browse/CRUC-8523", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:17.148Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-43958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-04T18:50:42.664622Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"], "vendor": "atlassian", "product": "fisheye", "versions": [{"status": "affected", "version": "0", "lessThan": "4.8.9", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"], "vendor": "atlassian", "product": "crucible", "versions": [{"status": "affected", "version": "0", "lessThan": "4.8.9", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-04T18:55:02.124Z"}}], "cna": {"affected": [{"vendor": "Atlassian", "product": "Fisheye", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "4.8.9", "versionType": "custom"}]}, {"vendor": "Atlassian", "product": "Crucible", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "4.8.9", "versionType": "custom"}]}], "datePublic": "2022-03-14T00:00:00", "references": [{"url": "https://jira.atlassian.com/browse/FE-7387", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.atlassian.com/browse/CRUC-8523", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2022-03-16T00:55:19"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "4.8.9", "version_affected": "<"}]}, "product_name": "Fisheye"}, {"version": {"version_data": [{"version_value": "4.8.9", "version_affected": "<"}]}, "product_name": "Crucible"}]}, "vendor_name": "Atlassian"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://jira.atlassian.com/browse/FE-7387", "name": "https://jira.atlassian.com/browse/FE-7387", "refsource": "MISC"}, {"url": "https://jira.atlassian.com/browse/CRUC-8523", "name": "https://jira.atlassian.com/browse/CRUC-8523", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Restriction of Excessive Authentication Attempts"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-43958", "STATE": "PUBLIC", "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-03-14T00:00:00"}}}}, "cveMetadata": {"cveId": "CVE-2021-43958", "state": "PUBLISHED", "dateUpdated": "2024-10-04T18:55:11.181Z", "dateReserved": "2021-11-16T00:00:00", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2022-03-16T00:55:19.574907Z", "assignerShortName": "atlassian"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D4FEF8B-76B5-4DB1-BC60-FE05BB918444", "versionEndExcluding": "4.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C288EF9-2CF5-40F1-BC5E-C4C1EAE30B14", "versionEndExcluding": "4.8.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability."}, {"lang": "es", "value": "Varios recursos de reposo en Fisheye y Crucible versiones anteriores a 4.8.9 permit\u00edan a atacantes remotos forzar las credenciales de inicio de sesi\u00f3n de usuarios, ya que los recursos de reposo no comprobaban si los usuarios estaban m\u00e1s all\u00e1 de sus l\u00edmites m\u00e1ximos de inicio de sesi\u00f3n fallido y, por lo tanto, requer\u00edan resolver un CAPTCHA adem\u00e1s de proporcionar las credenciales de usuario para la autenticaci\u00f3n por medio de una vulnerabilidad de restricci\u00f3n inapropiada del exceso de intentos de autenticaci\u00f3n"}], "id": "CVE-2021-43958", "lastModified": "2024-11-21T06:30:05.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-03-16T01:15:07.950", "references": [{"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}, {"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/FE-7387"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/CRUC-8523"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/FE-7387"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}