CVE-2021-43958

CRITICAL

Fisheye/Crucible <4.8.9 - Auth Bypass

Title source: llm
STIX 2.1

Description

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/FE-7387
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/CRUC-8523

Scores

CVSS v3 9.8
EPSS 0.0128
EPSS Percentile 79.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-307
Status published
Products (2)
atlassian/crucible < 4.8.9
atlassian/fisheye < 4.8.9
Published Mar 16, 2022
Tracked Since Feb 18, 2026