FishEye and Crucible Security Advisory 2012-08-21

This advisory discloses security vulnerabilities that we have found in FishEye and/or Crucible and fixed in a recent version of FishEye and/or Crucible.

  • Customers who have downloaded and installed FishEye and/or Crucible should upgrade their existing FishEye and/or Crucible installations to fix this vulnerability.  
  • Atlassian OnDemand and JIRA Studio customers are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. 

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

In this advisory:

Elevation of privileges vulnerability

Severity

Atlassian rates the severity level of this vulnerability as Medium, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in FishEye and Crucible that results from behaviour of certain third-party frameworks used in FishEye and Crucible. This vulnerability allows any attacker to:

  • Set the FishEye and Crucible instance to allow anonymous access
  • Set the FishEye and Crucible instance to allow anonymous signup

 All versions of FishEye and Crucible up to and including 2.7.14 are affected by this vulnerability. The vulnerability is fixed in FishEye and/or Crucible 2.8.0 and later. This issue can be tracked at  FE-4222 - FishEye privilege escalation vulnerability Closed and CRUC-6188 - Crucible privilege escalation vulnerability Closed . 

 The table below describes the FishEye and/or Crucible versions and the specific functionality affected by the vulnerabilities. jira

FishEye and/or Crucible Vulnerability

Affected versions

Fixed Version

Issue Tracking

Elevation of privileges

2.5.x or earlier

2.6.x

2.7.x

2.5.9

2.6.9

2.7.15, 2.8.0

FE-4222 - FishEye privilege escalation vulnerability Closed

CRUC-6188 - Crucible privilege escalation vulnerability Closed

Note: The email we sent out wrongly states that fixed versions are 2.5.8 and 2.6.7. FishEye and Crucible development team apologise for the mistake.

Risk Mitigation

If you cannot upgrade immediately, you can disable all access from the public Internet to your FishEye and/or Crucible instance to prevent external attacks.

Fix

Upgrade

The vulnerabilities and fix versions are described in the 'Vulnerability' section above.

We recommend that you upgrade to the latest version of FishEye and/or Crucible, if possible. For a full description of the latest version of FishEye and Crucible, see the FishEye release notes and Crucible release notes. You can download the latest version of FishEye and Crucible from the FishEye download centre and Crucible download centre.

There are no patches available.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport