CVE-2021-43958 vulnerability in Atlassian Products
Published on March 16, 2022
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.
Vulnerability Analysis
CVE-2021-43958 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Improper Restriction of Excessive Authentication Attempts
The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
Products Associated with CVE-2021-43958
stack.watch emails you whenever new vulnerabilities are published in Atlassian Crucible or Atlassian Fisheye. Just hit a watch button to start following.
Affected Versions
Atlassian Fisheye:- Version unspecified and below 4.8.9 is affected.
- Version unspecified and below 4.8.9 is affected.
- Before 4.8.9 is affected.
- Before 4.8.9 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.