Stash security advisory 2014-02-26

This advisory details a critical security vulnerability that we have found in Stash and fixed in a recent versions of Stash.

  • Customers who have downloaded and installed Stash should upgrade their existing Stash installations to fix this vulnerability.  
  • Atlassian OnDemand customers are not affected because OnDemand does not include Stash.

The vulnerability affects all versions of Stash up to and including 2.5.3, 2.6.4, 2.7.5 and 2.8.3.

It does not affect versions 2.5.4, 2.6.5, 2.7.6, 2.8.4, 2.9.X, 2.10.X.

アトラシアンは製品セキュリティの向上に取り組んでいます。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する皆様の協力に感謝しています。

このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com でサポート リクエストを起票してください。

ユーザー権限のエスカレーション

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in https://www.atlassian.com/security. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have identified and fixed a vulnerability in Stash which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your Stash web interface. 

The Stash server is only vulnerable if it has been configured to be a part of an Application link with  Trusted Applications authentication.

The vulnerability affects all supported versions of Stash up to and including 2.5.3, 2.6.4, 2.7.5 and 2.8.3. It has been fixed in the Stash security patch releases 2.5.4, 2.6.5, 2.7.6, 2.8.4. The vulnerability does not affect the Stash 2.9 and 2.10 releases. The issue is tracked in  STASH-4122 - Getting issue details... STATUS

Risk Mitigation

 

If you are unable to upgrade or patch your Stash server you can do the following as a temporary workaround:

  • Block access to your Stash server web interface from untrusted networks, such as the Internet.
  • Remove any Application links that use Trusted Applications authentication and re-create them using OAuth.

修正

This vulnerability can be fixed by upgrading Stash to one of the security patch releases or any release of Stash higher than 2.9.0. If required, there is also a patch available for this vulnerability for all supported versions of Stash. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.

セキュリティ パッチ ポリシーでは、製品のセキュリティ パッチとセキュリティ アップグレードをいつどのようにリリースするかを説明しています。  

Stash のアップグレード

Upgrade to one of the Stash patch releases, 2.5.4, 2.6.5, 2.7.6, 2.8.4, which fixes this vulnerability, or one of the unaffected releases, 2.9 or a later version. For a full description of these releases, see the Stash Release Notes.

Patches

Binary patches are not available for this advisory. You need to either install one of the patch releases or apply recommended temporary workarounds.

最終更新日 2015 年 8 月 28 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.