CVE-2021-43958 : Security Advisory and Response

Fisheye and Crucible versions before 4.8.9 are susceptible to an improper restriction of excessive authentication attempts vulnerability, allowing remote attackers to brute force user login credentials.

Understanding CVE-2021-43958

What is CVE-2021-43958?

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute-force user login credentials due to a lack of checking if users exceeded their maximum failed login limits.

The Impact of CVE-2021-43958

This vulnerability enables attackers to bypass authentication mechanisms by exploiting the lack of CAPTCHA verification for excessive login attempts.

Technical Details of CVE-2021-43958

Vulnerability Description

Attackers can conduct brute force attacks on user credentials without the required CAPTCHA enforcement, compromising login security.

Affected Systems and Versions

Product: Fisheye
Vendor: Atlassian
Versions Affected: < 4.8.9 (unspecified custom version)
Product: Crucible
Vendor: Atlassian
Versions Affected: < 4.8.9 (unspecified custom version)

Exploitation Mechanism

Attackers exploit the vulnerability by repeatedly attempting login without encountering CAPTCHA verification, gaining unauthorized access.

Mitigation and Prevention

Immediate Steps to Take

Update Fisheye and Crucible to version 4.8.9 or above to eliminate the vulnerability.
Implement CAPTCHA checks for failed login attempts to add an extra layer of security.

Long-Term Security Practices

Enforce strong password policies and encourage the use of multi-factor authentication.
Regularly monitor login attempts and set thresholds for failed logins to detect suspicious activities.

Patching and Updates

Regularly apply patches and updates provided by Atlassian to address security flaws and enhance system resilience.