FishEye and Crucible Security Advisory 2014-02-26

This advisory details a critical security vulnerability that we have found in FishEye and fixed in recent versions of Fisheye.

  • Customers who have downloaded and installed FishEye should upgrade their existing FishEye installations to fix this vulnerability.  
  • Atlassian OnDemand customers are not affected because OnDemand does not include FishEye.

The vulnerability affects all versions of FishEye up to and including 3.1.5.

Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.

User privilege escalation

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in https://www.atlassian.com/security. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in FishEye which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your FishEye web interface. 

FishEye server is only vulnerable if it has been configured to be a part of an Application link with Trusted Applications authentication. Unless you chose OAuth authentication when configuring previously created links, Trusted Applications was used by default.

The vulnerability affects all supported versions of FishEye up to and including 3.1.5. It has been fixed in 3.2.0, 3.1.6 and 2.10.8. The issue is tracked in  FE-4965 - Privilege escalation Closed .

Risk Mitigation

If you are unable to upgrade your FishEye server you can do the following as a temporary workaround:

  • Block access to your FishEye server web interface from untrusted networks, such as the Internet.
  • Remove any Application links that use Trusted Applications authentication and re-create them using OAuth.

Fix

This vulnerability can be fixed by upgrading FishEye. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products. Only security upgrades are released for FishEye. Patches are not released for FishEye.

Upgrading FishEye

Upgrade to FishEye 3.2.0, 3.1.6, 2.10.8 or a later version, which fixes this vulnerability. For a full description of these releases, see the Fisheye Release Notes.

Patches

Binary patches are not available for this advisory. You need to either install one of the patch releases or apply recommended temporary workarounds.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport