CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26137
https://notcve.org/view.php?id=CVE-2022-26137
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into re... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26136
https://notcve.org/view.php?id=CVE-2022-26136
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions ar... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43958
https://notcve.org/view.php?id=CVE-2021-43958
16 Mar 2022 — Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. Varios recursos de reposo en Fisheye y Crucible versiones anteriores a 4.8.9 permitían a atacantes remotos forzar las cr... • https://jira.atlassian.com/browse/CRUC-8523 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43957
https://notcve.org/view.php?id=CVE-2021-43957
16 Mar 2022 — Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. Las versiones afectadas de Atlassian Fisheye y Crucible permitían a atacantes remotos navegar por archivos locales por medio de una vulnerabilidad de Insecure Direct Object References (IDOR) en el directorio WEB... • https://jira.atlassian.com/browse/CRUC-8524 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43956
https://notcve.org/view.php?id=CVE-2021-43956
16 Mar 2022 — The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. La biblioteca jQuery deserialize en Fisheye y Crucible versiones anteriores a 4.8.9, permitía a atacantes remotos inyectar HTML y/o JavaScript arbitrario por medio de una vulnerabilidad de contaminación de prototipos • https://jira.atlassian.com/browse/CRUC-8531 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43955
https://notcve.org/view.php?id=CVE-2021-43955
16 Mar 2022 — The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. El recurso /rest-service-fecru/server-v1 en Fisheye y Crucible versiones anteriores a 4.8.9, permitía a atacantes remotos autenticados obtener información sobre los directorios de instalación por medio de una vulnerabilidad de divulgación de información • https://jira.atlassian.com/browse/CRUC-8533 •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43954
https://notcve.org/view.php?id=CVE-2021-43954
14 Mar 2022 — The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. La clase DefaultRepositoryAdminService en Fisheye and Crucible versiones anteriores a 4.8.9, permitía a atacantes remotos, que tuvieran el permiso "can add repository permission", enumerar la existencia de recursos internos de red ... • https://jira.atlassian.com/browse/CRUC-8520 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14192
https://notcve.org/view.php?id=CVE-2020-14192
01 Feb 2021 — Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. Las versiones afectadas de Atlassian Fisheye y Crucible, permiten a atacantes remotos visualizar el SEN de un producto por medio de una vulnerabilidad de divulgación de información en el encabezado de respuesta x-asen de Atlassian Analytics. Las versiones afec... • https://jira.atlassian.com/browse/CRUC-8502 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29446
https://notcve.org/view.php?id=CVE-2020-29446
18 Jan 2021 — Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. Las versiones afectadas de Atlassian Fisheye & Crucible permiten a los atacantes remotos navegar por los archivos locales a través de una vulnerabilidad de Insecure Direct Object References (IDOR) en el directorio WEB-INF. Las versiones afectadas son anteriores a la versión 4.... • https://jira.atlassian.com/browse/CRUC-8496 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14190
https://notcve.org/view.php?id=CVE-2020-14190
25 Nov 2020 — Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4. Las versiones afectadas de Atlassian Fisheye/Crucible permiten a atacantes remotos alcanzar una Denegación de Servicio de una Regex por medio de una regex suministrada por el usuario en EyeQL. Las versiones afectadas son las anteriores a 4.8.4 • https://jira.atlassian.com/browse/CRUC-8498 • CWE-400: Uncontrolled Resource Consumption •