FishEye and Crucible Security Advisory 2014-05-21
This advisory discloses a critical security vulnerability that we have found in FishEye and fixed in a recent version of FishEye.
- Customers who have downloaded and installed FishEye should upgrade their existing FishEye installations.
The vulnerability affects FishEye version 3.x.
Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.
Administrator password reset
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
An unauthenticated user is able to set the admin password of FishEye to any value, gaining admin access to the FishEye instance as a result.
The vulnerability affects FishEye version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4.
If you are unable to upgrade your FishEye server you can do the following as a temporary workaround:
- Disallow external HTTP(S) access to your FishEye server.
This vulnerability can also be fixed by upgrading FishEye to one of the following versions: 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4. You can download these versions of Fisheye from the download center. There are no patches available.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.