FishEye and Crucible Security Advisory 2014-05-21
This advisory discloses a critical security vulnerability that we have found in Crucible and fixed in a recent version of Crucible.
- Customers who have downloaded and installed Crucible should upgrade their existing Crucible installations.
The vulnerability affects Crucible version 3.x.
アトラシアンは製品セキュリティの向上に取り組んでいます。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する皆様の協力に感謝しています。
このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com でサポート リクエストを起票してください。
Administrator password reset
深刻度
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
説明
An unauthenticated user is able to set the admin password of Crucible to any value, gaining admin access to the Crucible instance as a result.
The vulnerability affects Crucible version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4.
The issue is tracked in CRUC-6810 - Getting issue details... STATUS .
Risk Mitigation
If you are unable to upgrade your Crucible server you can do the following as a temporary workaround:
- Disallow external HTTP(S) access to your Crucible server.
修正
This vulnerability can also be fixed by upgrading Crucible to one of the following versions: 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4. You can download these versions of Crucible from the download center. There are no patches available.
セキュリティ パッチ ポリシーでは、製品のセキュリティ パッチとセキュリティ アップグレードをいつどのようにリリースするかを説明しています。