CVE-2017-18035

CWE-284Improper Access ControlCWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 70.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Atlassian CrucibleAtlassian FisheyeAtlassian Fisheye AND Crucible
Timeline
PublishedFeb 2
Latest updateMay 13

Description

The /rest/review-coverage-chart/1.0/data//.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5atlassian/fisheye_and_crucibleprior to 4.5.1 and 4.6.0
NVDatlassian/fisheye< 4.5.1
NVDatlassian/crucible< 4.5.1

🔴Vulnerability Details

2
GHSA
GHSA-6fpv-4x2f-7hh2: The /rest/review-coverage-chart/12022-05-13
CVEList
CVE-2017-18035: The /rest/review-coverage-chart/12018-02-02
CVE-2017-18035 (MEDIUM CVSS 4.3) | The /rest/review-coverage-chart/1.0 | cvebase.io