FishEye and Crucible Security Advisory 2011-05-16

This advisory announces a number of security vulnerabilities that we have found and fixed in recent versions of FishEye/Crucible. You need to upgrade your existing FishEye/Crucible installations to fix these vulnerabilities. Enterprise Hosted customers should request an upgrade by filing a ticket at JIRA Studio is not vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

If you have questions or concerns regarding this advisory, please raise a support request at

In this advisory:

XSS Vulnerabilities


Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect FishEye/Crucible instances, including publicly available instances (that is, internet-facing servers). XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attacks at, The Web Application Security Consortium and other places on the web.


The table below describes the FishEye/Crucible versions and the specific functionality affected by the XSS vulnerabilities.

FishEye/Crucible Feature

Affected FishEye/Crucible Versions

Issue Tracking

Crucible snippets

Crucible 2.4.5 to 2.5.0


Crucible author mapping

Crucible 2.4.5 to 2.5.0


Crucible changeset comments in search results

Crucible 2.3.0 to 2.5.0


Crucible comments search

Crucible 2.2.6 to 2.5.0


FishEye/Crucible dashboard - review activity

FishEye/Crucible 2.2.8 to 2.5.2


FishEye/Crucible reviews list

FishEye/Crucible 2.2.8 to 2.5.2


Risk Mitigation

We recommend that you upgrade your FishEye/Crucible installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your instance until you have applied the upgrade. For even tighter control, you could restrict access to trusted groups.


FishEye/Crucible 2.5.4 fixes all of these issues. View the issues linked above for information on earlier fix versions for each issue. For a full description of this release, see the FishEye 2.5 changelog and Crucible 2.5 Changelog. You can download the latest version of FishEye/Crucible from the download centre (FishEye download centre, Crucible download centre).

There are no patches available to fix these vulnerabilities. You must upgrade your FishEye/Crucible installation.

Our thanks to Marian Ventuneac of, who reported FE-3031 and FE-3032. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport