CVE-2021-43955 : What You Need to Know

CVE-2021-43955 was published on March 14, 2022, and affects Atlassian's Fisheye and Crucible versions prior to 4.8.9.

Understanding CVE-2021-43955

What is CVE-2021-43955?

The vulnerability in /rest-service-fecru/server-v1 in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to access installation directories through an information disclosure flaw.

The Impact of CVE-2021-43955

This vulnerability could be exploited by attackers to gather sensitive information about the installation directories of affected Atlassian products, potentially leading to further security breaches.

Technical Details of CVE-2021-43955

Vulnerability Description

The /rest-service-fecru/server-v1 resource in Fisheye and Crucible versions less than 4.8.9 allowed authenticated remote attackers to retrieve details on installation directories through an information disclosure weakness.

Affected Systems and Versions

Product: Fisheye
Vendor: Atlassian
Versions Affected: Less than 4.8.9 (custom version)
Product: Crucible
Vendor: Atlassian
Versions Affected: Less than 4.8.9 (custom version)

Exploitation Mechanism

Attackers with authenticated access could leverage this vulnerability to extract sensitive details regarding installation directories, potentially aiding in planning further malicious activities.

Mitigation and Prevention

Immediate Steps to Take

Update the affected Fisheye and Crucible versions to 4.8.9 or later to address the vulnerability.
Restrict network access to the affected services to reduce the attack surface.

Long-Term Security Practices

Regularly review and update access controls to prevent unauthorized information disclosure.
Conduct security assessments and penetration testing to identify and rectify potential vulnerabilities.

Patching and Updates

Ensure timely application of security patches and updates provided by Atlassian to keep Fisheye and Crucible secure.