Unauthenticated Remote Access to Review Coverage Statistics in Atlassian Fisheye and Crucible

Unauthenticated Remote Access to Review Coverage Statistics in Atlassian Fisheye and Crucible

CVE-2017-18035 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.

Learn more about our Web Application Penetration Testing UK.