FishEye Security Advisory 2010-10-20
This advisory announces a number of security vulnerabilities in earlier versions of FishEye that we have found and fixed in FishEye 2.4 and FishEye 2.3.7. In addition to releasing FishEye 2.4 and FishEye 2.3.7, we also provide a patch for the vulnerabilities mentioned below. You will be able to apply this patch to existing installations of FishEye 2.3.6. However, we recommend that you upgrade to FishEye 2.4 to fix these vulnerabilities.
In this advisory:
XSS Vulnerabilities
深刻度
Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect FishEye instances, including publicly available instances.
- An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
- XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye page. An attacker's text and script might be displayed to other people viewing the page.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
脆弱性
The table below describes the parts of FishEye affected by the XSS vulnerabilities.
FishEye Feature | Affected FishEye Versions | Issue Tracking |
---|---|---|
Code Metrics Plugin | 2.0.x to 2.3.6 inclusive | |
FishEye Revision ID Parameters on Annotated Views | 2.3.0 〜 2.3.6(これらを含む) |
Risk Mitigation
We recommend that you upgrade your FishEye installation to fix these vulnerabilities.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the 'Code Metrics Plugin' via the Administration Console ('Plugins' menu item under 'Systems Settings') to mitigate the Code Metrics Plugin XSS vulnerability. There is no mitigation for the FishEye Revision ID Parameters on Annotated Views XSS vulnerability.
修正
FishEye-only installations:
FishEye 2.4 (recommended) and FishEye 2.3.7 fix these issues. For a full description of the FishEye 2.4 release, see the release notes. You can download FishEye 2.4 from the download centre. You can download FishEye 2.3.7 from the download centre archives.
If you cannot upgrade to FishEye 2.4/2.3.7, you can patch your existing installation using the patch listed below.
FishEye+Crucible installations:
Crucible 2.4 (recommended) and Crucible 2.3.7 fix these issues. For a full description of the Crucible 2.4 release, see the release notes. You can download Crucible 2.4 from the download centre. You can download Crucible 2.3.7 from the download centre archives.
If you cannot upgrade to Crucible 2.4/2.3.7, you can patch your existing installation using the patch listed below.
Available Patches
If for some reason you cannot upgrade to FishEye 2.4/2.3.7 or Crucible 2.4/2.3.7, you can apply the following patch to fix the vulnerabilities described in this security advisory.
パッチの手順のステップ 1: パッチをインストールする
A patch is available for FishEye/Crucible 2.3.6 only.
The patch addresses the following issue:
- XSS vulnerability in the code metrics plugin (CRUC-4572).
- XSS vulnerability in revision ID parameters on annotated views (CRUC-4641).
- Shut down FishEye.
- Back up your FishEye instance.
- Download the patch, fisheye-2.3.6-security-patch.zip.
- Expand the zip file into
<fisheye_install_dir>
, overwriting the existing files.
The patch will overwrite your 'plugins/bundled-plugins.zip' file as well as some class files. - Restart FishEye.