Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Fisheye
(Atlassian)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 51 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-03-16 | CVE-2021-43955 | The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. | Crucible, Fisheye | 4.3 | ||
| 2022-07-20 | CVE-2022-26137 | A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can... | Bamboo, Bitbucket, Confluence_data_center, Confluence_server, Crowd, Crucible, Fisheye, Jira_data_center, Jira_server, Jira_service_desk, Jira_service_management | 8.8 | ||
| 2022-07-20 | CVE-2022-26136 | A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian... | Bamboo, Bitbucket, Confluence_data_center, Confluence_server, Crowd, Crucible, Fisheye, Jira_data_center, Jira_server, Jira_service_desk, Jira_service_management | 9.8 | ||
| 2019-04-30 | CVE-2018-20239 | Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd... | Application_links, Confluence_data_center, Confluence_server, Crowd, Crucible, Fisheye, Jira_data_center, Jira_server | 5.4 | ||
| 2022-03-16 | CVE-2021-43956 | The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | Crucible, Fisheye | 6.1 | ||
| 2022-03-16 | CVE-2021-43957 | Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. | Crucible, Fisheye | 7.5 | ||
| 2022-03-16 | CVE-2021-43958 | Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | Crucible, Fisheye | 9.8 | ||
| 2022-03-14 | CVE-2021-43954 | The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | Crucible, Fisheye | 4.3 | ||
| 2012-05-22 | CVE-2012-2926 | Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via... | Bamboo, Confluence, Confluence_server, Crowd, Crucible, Fisheye, Jira | 9.1 | ||
| 2020-06-01 | CVE-2020-4014 | The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability. | Crucible, Fisheye | 4.3 |