FishEye Security Advisory 2010-10-20

This advisory announces a number of security vulnerabilities in earlier versions of FishEye that we have found and fixed in FishEye 2.4 and FishEye 2.3.7. In addition to releasing FishEye 2.4 and FishEye 2.3.7, we also provide a patch for the vulnerabilities mentioned below. You will be able to apply this patch to existing installations of FishEye 2.3.6. However, we recommend that you upgrade to FishEye 2.4 to fix these vulnerabilities.

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect FishEye instances, including publicly available instances.

  • An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
  • XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye page. An attacker's text and script might be displayed to other people viewing the page.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerabilities

The table below describes the parts of FishEye affected by the XSS vulnerabilities.

FishEye Feature

Affected FishEye Versions

Issue Tracking

Code Metrics Plugin

2.0.x to 2.3.6 inclusive

CRUC-4572

FishEye Revision ID Parameters on Annotated Views

2.3.0 to 2.3.6 inclusive

CRUC-4641

Risk Mitigation

We recommend that you upgrade your FishEye installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the 'Code Metrics Plugin' via the Administration Console ('Plugins' menu item under 'Systems Settings') to mitigate the Code Metrics Plugin XSS vulnerability. There is no mitigation for the FishEye Revision ID Parameters on Annotated Views XSS vulnerability.

Fix

FishEye-only installations:
FishEye 2.4 (recommended) and FishEye 2.3.7 fix these issues. For a full description of the FishEye 2.4 release, see the release notes. You can download FishEye 2.4 from the download centre. You can download FishEye 2.3.7 from the download centre archives.

If you cannot upgrade to FishEye 2.4/2.3.7, you can patch your existing installation using the patch listed below.

FishEye+Crucible installations:
Crucible 2.4 (recommended) and Crucible 2.3.7 fix these issues. For a full description of the Crucible 2.4 release, see the release notes. You can download Crucible 2.4 from the download centre. You can download Crucible 2.3.7 from the download centre archives.

If you cannot upgrade to Crucible 2.4/2.3.7, you can patch your existing installation using the patch listed below.

Available Patches

If for some reason you cannot upgrade to FishEye 2.4/2.3.7 or Crucible 2.4/2.3.7, you can apply the following patch to fix the vulnerabilities described in this security advisory.

Step 1 of the Patch Procedure: Install the Patch

A patch is available for FishEye/Crucible 2.3.6 only.

The patch addresses the following issue:

  • XSS vulnerability in the code metrics plugin (CRUC-4572).
  • XSS vulnerability in revision ID parameters on annotated views (CRUC-4641).
  1. Shut down FishEye.
  2. Back up your FishEye instance.
  3. Download the patch, fisheye-2.3.6-security-patch.zip.
  4. Expand the zip file into <fisheye_install_dir>, overwriting the existing files.
    The patch will overwrite your 'plugins/bundled-plugins.zip' file as well as some class files.
  5. Restart FishEye.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport