CVE-2021-43957
📋 TL;DR
This vulnerability allows remote attackers to browse local files on Atlassian Fisheye and Crucible servers via an Insecure Direct Object Reference (IDOR) in the WEB-INF directory. Attackers can bypass previous security fixes due to improper URL decoding. Organizations running affected versions of these code review tools are at risk.
💻 Affected Systems
- Atlassian Fisheye
- Atlassian Crucible
📦 What is this software?
Crucible by Atlassian
Fisheye by Atlassian
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive configuration files, source code, credentials, or other local files, potentially leading to complete system compromise.
Likely Case
Unauthorized file browsing exposing sensitive configuration files, source code repositories, or system information that could facilitate further attacks.
If Mitigated
Limited or no impact if proper network segmentation, access controls, and updated versions are in place.
🎯 Exploit Status
Remote exploitation without authentication is possible. The vulnerability involves manipulating URL parameters to bypass security controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.9 or later
Vendor Advisory: https://jira.atlassian.com/browse/CRUC-8524
Restart Required: Yes
Instructions:
1. Download Fisheye/Crucible version 4.8.9 or later from Atlassian's official site. 2. Backup your current installation and data. 3. Stop the Fisheye/Crucible service. 4. Install the updated version. 5. Restart the service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Fisheye/Crucible instances to trusted IP addresses only
Reverse Proxy Configuration
allConfigure a reverse proxy with strict URL validation and filtering
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Fisheye/Crucible instances
- Deploy a web application firewall (WAF) with rules to detect and block IDOR exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the Fisheye/Crucible version in the administration console or by examining the installation directoryCheck Version:
Check the version in the web interface under Administration > System Information, or examine the fisheye-version.txt/crucible-version.txt file in the installation directoryVerify Fix Applied:
Verify the version is 4.8.9 or higher and test that URL manipulation attempts are properly blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in WEB-INF directory
- Multiple failed or unusual URL decoding attempts
- Access to sensitive paths from unexpected sources
Network Indicators:
- Unusual HTTP requests with encoded URL parameters targeting WEB-INF paths
- Requests bypassing normal authentication flows
SIEM Query:
source="fisheye-logs" OR source="crucible-logs" AND (uri="*WEB-INF*" OR uri="*%2F*" OR uri="*%5C*")