FishEye and Crucible Security Advisory 2014-05-21
This advisory discloses a critical security vulnerability that we have found in Crucible and fixed in a recent version of Crucible.
- Customers who have downloaded and installed Crucible should upgrade their existing Crucible installations.
The vulnerability affects Crucible version 3.x.
Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.
Administrator password reset
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
An unauthenticated user is able to set the admin password of Crucible to any value, gaining admin access to the Crucible instance as a result.
The vulnerability affects Crucible version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4.
The issue is tracked in CRUC-6810 - Getting issue details... STATUS .
Risk Mitigation
If you are unable to upgrade your Crucible server you can do the following as a temporary workaround:
- Disallow external HTTP(S) access to your Crucible server.
Fix
This vulnerability can also be fixed by upgrading Crucible to one of the following versions: 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4. You can download these versions of Crucible from the download center. There are no patches available.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.