FishEye Security Advisory 2010-10-20
This advisory announces a number of security vulnerabilities in earlier versions of FishEye that we have found and fixed in FishEye 2.4 and FishEye 2.3.7. In addition to releasing FishEye 2.4 and FishEye 2.3.7, we also provide a patch for the vulnerabilities mentioned below. You will be able to apply this patch to existing installations of FishEye 2.3.6. However, we recommend that you upgrade to FishEye 2.4 to fix these vulnerabilities.
In this advisory:
Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect FishEye instances, including publicly available instances.
- An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
The table below describes the parts of FishEye affected by the XSS vulnerabilities.
Affected FishEye Versions
Code Metrics Plugin
2.0.x to 2.3.6 inclusive
FishEye Revision ID Parameters on Annotated Views
2.3.0 to 2.3.6 inclusive
We recommend that you upgrade your FishEye installation to fix these vulnerabilities.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the 'Code Metrics Plugin' via the Administration Console ('Plugins' menu item under 'Systems Settings') to mitigate the Code Metrics Plugin XSS vulnerability. There is no mitigation for the FishEye Revision ID Parameters on Annotated Views XSS vulnerability.
FishEye 2.4 (recommended) and FishEye 2.3.7 fix these issues. For a full description of the FishEye 2.4 release, see the release notes. You can download FishEye 2.4 from the download centre. You can download FishEye 2.3.7 from the download centre archives.
If you cannot upgrade to FishEye 2.4/2.3.7, you can patch your existing installation using the patch listed below.
Crucible 2.4 (recommended) and Crucible 2.3.7 fix these issues. For a full description of the Crucible 2.4 release, see the release notes. You can download Crucible 2.4 from the download centre. You can download Crucible 2.3.7 from the download centre archives.
If you cannot upgrade to Crucible 2.4/2.3.7, you can patch your existing installation using the patch listed below.
If for some reason you cannot upgrade to FishEye 2.4/2.3.7 or Crucible 2.4/2.3.7, you can apply the following patch to fix the vulnerabilities described in this security advisory.
Step 1 of the Patch Procedure: Install the Patch
A patch is available for FishEye/Crucible 2.3.6 only.
The patch addresses the following issue:
- XSS vulnerability in the code metrics plugin (CRUC-4572).
- XSS vulnerability in revision ID parameters on annotated views (CRUC-4641).