FishEye and Crucible Security Advisory 2012-08-21
This advisory discloses security vulnerabilities that we have found in FishEye and/or Crucible and fixed in a recent version of FishEye and/or Crucible.
- Customers who have downloaded and installed FishEye and/or Crucible should upgrade their existing FishEye and/or Crucible installations to fix this vulnerability.
- Atlassian OnDemand and JIRA Studio customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Elevation of privileges vulnerability
Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
We have identified and fixed a vulnerability in FishEye and Crucible that results from behaviour of certain third-party frameworks used in FishEye and Crucible. This vulnerability allows any attacker to:
- Set the FishEye and Crucible instance to allow anonymous access
- Set the FishEye and Crucible instance to allow anonymous signup
All versions of FishEye and Crucible up to and including 2.7.14 are affected by this vulnerability. The vulnerability is fixed in FishEye and/or Crucible 2.8.0 and later. This issue can be tracked at - FE-4222Getting issue details... STATUS and - CRUC-6188Getting issue details... STATUS .
The table below describes the FishEye and/or Crucible versions and the specific functionality affected by the vulnerabilities. jira
FishEye and/or Crucible Vulnerability
|Elevation of privileges||
2.5.x or earlier
Note: The email we sent out wrongly states that fixed versions are 2.5.8 and 2.6.7. FishEye and Crucible development team apologise for the mistake.
If you cannot upgrade immediately, you can disable all access from the public Internet to your FishEye and/or Crucible instance to prevent external attacks.
The vulnerabilities and fix versions are described in the 'Vulnerability' section above.
We recommend that you upgrade to the latest version of FishEye and/or Crucible, if possible. For a full description of the latest version of FishEye and Crucible, see the FishEye release notes and Crucible release notes. You can download the latest version of FishEye and Crucible from the FishEye download centre and Crucible download centre.
There are no patches available.