FishEye and Crucible Security Advisory 2012-08-21

This advisory discloses security vulnerabilities that we have found in FishEye and/or Crucible and fixed in a recent version of FishEye and/or Crucible.

  • Customers who have downloaded and installed FishEye and/or Crucible should upgrade their existing FishEye and/or Crucible installations to fix this vulnerability.  
  • Atlassian OnDemand and JIRA Studio customers are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. 

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

Elevation of privileges vulnerability

重大度

Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

We have identified and fixed a vulnerability in FishEye and Crucible that results from behaviour of certain third-party frameworks used in FishEye and Crucible. This vulnerability allows any attacker to:

  • Set the FishEye and Crucible instance to allow anonymous access
  • Set the FishEye and Crucible instance to allow anonymous signup

 All versions of FishEye and Crucible up to and including 2.7.14 are affected by this vulnerability. The vulnerability is fixed in FishEye and/or Crucible 2.8.0 and later. This issue can be tracked at  FE-4222 - Getting issue details... STATUS and CRUC-6188 - Getting issue details... STATUS . 

 The table below describes the FishEye and/or Crucible versions and the specific functionality affected by the vulnerabilities. jira

FishEye and/or Crucible Vulnerability

影響バージョン

Fixed Version

Issue Tracking

Elevation of privileges

2.5.x 以前

2.6.x

2.7.x

2.5.9

2.6.9

2.7.15, 2.8.0

FE-4222 - 課題詳細を取得中... ステータス

CRUC-6188 - Getting issue details... STATUS

Note: The email we sent out wrongly states that fixed versions are 2.5.8 and 2.6.7. FishEye and Crucible development team apologise for the mistake.

Risk Mitigation

If you cannot upgrade immediately, you can disable all access from the public Internet to your FishEye and/or Crucible instance to prevent external attacks.

Fix

アップグレード

The vulnerabilities and fix versions are described in the 'Vulnerability' section above.

We recommend that you upgrade to the latest version of FishEye and/or Crucible, if possible. For a full description of the latest version of FishEye and Crucible, see the FishEye release notes and Crucible release notes. You can download the latest version of FishEye and Crucible from the FishEye download centre and Crucible download centre.

There are no patches available.

 

最終更新日 2012 年 8 月 22 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.