FishEye and Crucible Security Advisory 2014-05-21

This advisory discloses a critical security vulnerability that we have found in Crucible and fixed in a recent version of Crucible.

  • Customers who have downloaded and installed Crucible should upgrade their existing Crucible installations. 

The vulnerability affects Crucible version 3.x.


このアドバイザリに関してご質問や懸念がある場合は、 でサポート リクエストを起票してください。

Administrator password reset


Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.


An unauthenticated user is able to set the admin password of Crucible to any value, gaining admin access to the Crucible instance as a result.

The vulnerability affects Crucible version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4.

The issue is tracked in  CRUC-6810 - Getting issue details... STATUS .

Risk Mitigation

If you are unable to upgrade your Crucible server you can do the following as a temporary workaround:

  • Disallow external HTTP(S) access to your Crucible server.


This vulnerability can also be fixed by upgrading Crucible to one of the following versions: 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4. You can download these versions of Crucible from the download center. There are no patches available.

セキュリティ パッチ ポリシーでは、製品のセキュリティ パッチとセキュリティ アップグレードをいつどのようにリリースするかを説明しています。  

最終更新日 2014 年 5 月 29 日


Powered by Confluence and Scroll Viewport.