CVE-2021-43958 – CVE-2021-43958 allows remote attackers to brute... (How to Fix)

Q: What is the severity of CVE-2021-43958?

CVE-2021-43958 has a CVSS score of 9.8 (CRITICAL). CVE-2021-43958 allows remote attackers to brute force user credentials in Atlassian Fisheye and Crucible by bypassing CAPTCHA protection on REST endpoints. This affects all users of vulnerable versions who have REST API access enabled. Attackers can systematically guess passwords without rate limiting.

📋 TL;DR

CVE-2021-43958 allows remote attackers to brute force user credentials in Atlassian Fisheye and Crucible by bypassing CAPTCHA protection on REST endpoints. This affects all users of vulnerable versions who have REST API access enabled. Attackers can systematically guess passwords without rate limiting.

💻 Affected Systems

Products:

Atlassian Fisheye
Atlassian Crucible

Versions: All versions before 4.8.9

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects REST API endpoints used for authentication. No special configuration required.

📦 What is this software?

Crucible by Atlassian

View all CVEs affecting Crucible →

Fisheye by Atlassian

View all CVEs affecting Fisheye →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to unauthorized access to source code repositories, sensitive intellectual property theft, and potential lateral movement within development environments.

🟠

Likely Case

Credential stuffing attacks resulting in compromised developer accounts, unauthorized code access, and potential injection of malicious code into repositories.

🟢

If Mitigated

Failed login attempts trigger CAPTCHA as designed, limiting brute force effectiveness to impractical levels.

🌐 Internet-Facing: HIGH - REST endpoints are typically exposed and the vulnerability allows unauthenticated exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but external threat surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple brute force scripts can exploit this vulnerability without authentication. No special tools required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.9 or later

Vendor Advisory: https://jira.atlassian.com/browse/CRUC-8523

Restart Required: Yes

Instructions:

1. Download Fisheye/Crucible 4.8.9 or later from Atlassian website. 2. Backup current installation and data. 3. Stop the service. 4. Install the new version. 5. Restart the service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Fisheye/Crucible REST API endpoints to trusted IP addresses only

# Example using iptables for Linux
iptables -A INPUT -p tcp --dport 8060 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 8060 -j DROP

Web Application Firewall Rules

all

Implement WAF rules to detect and block brute force patterns on authentication endpoints

# Example ModSecurity rule
SecRule REQUEST_URI "@rx ^/rest/.*-auth/1/session$" \
    "phase:2,id:1001,t:none,block,msg:'Brute force attempt detected',\
    setvar:'tx.brute_force_counter=+1',expirevar:'tx.brute_force_counter=60'" \
    "chain"
SecRule TX:BRUTE_FORCE_COUNTER "@gt 10" "t:none,setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"

🧯 If You Can't Patch

Implement strong password policies and multi-factor authentication for all user accounts
Monitor authentication logs for unusual patterns and implement alerting for failed login attempts

🔍 How to Verify

Check if Vulnerable:

Check Fisheye/Crucible version via web interface or configuration files. Versions below 4.8.9 are vulnerable.

Check Version:

Check web interface or examine fisheye.version/crucible.version file in installation directory

Verify Fix Applied:

Verify version is 4.8.9 or later and test that failed login attempts trigger CAPTCHA on REST endpoints.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from same IP address on REST endpoints
Authentication requests bypassing CAPTCHA validation
Unusual pattern of /rest/*-auth/1/session requests

Network Indicators:

High volume of POST requests to authentication REST endpoints
Requests to /rest/*-auth/1/session without CAPTCHA parameters

SIEM Query:

source="fisheye.log" OR source="crucible.log" | search "POST /rest/" AND "session" AND "401" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-43958

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-307

Published: March 16, 2022

Last Updated: November 21, 2024

🔗 References

https://jira.atlassian.com/browse/CRUC-8523 Issue Tracking,Vendor Advisory
https://jira.atlassian.com/browse/FE-7387 Issue Tracking,Vendor Advisory
https://jira.atlassian.com/browse/CRUC-8523 Issue Tracking,Vendor Advisory
https://jira.atlassian.com/browse/FE-7387 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43958, you might also want to check these: