We are writing to inform you of a number of newly-discovered security vulnerabilities in FishEye and Crucible. These security vulnerabilities have a severity levels from medium to high. To fix these vulnerabilities, you should follow the instructions in the security advisory below. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-05-16 or
http://confluence.atlassian.com/display/CRUCIBLE/FishEye+and+Crucible+Security+Advisory+2011-05-16.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian security policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
*XSS Vulnerabilities in Various FishEye/Crucible Features*
Severity -- Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in our documentation (
http://confluence.atlassian.com/display/FISHEYE/Severity+Levels+for+Security+Issues). The scale allows us to rank the severity as critical, high, moderate or low.
Risk Assessment -- We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect FishEye/Crucible instances, including publicly available instances (that is, internet-facing servers). XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.
Vulnerability -- The table below describes the FishEye/Crucible versions and the specific functionality affected by the XSS vulnerabilities.
1) Vulnerability in Crucible snippets, affecting Crucible 2.4.5 to 2.5.0.
See issue
http://jira.atlassian.com/browse/CRUC-5734
2) Vulnerability in Crucible author mapping, affecting Crucible 2.4.5 to 2.5.0.
See issue
http://jira.atlassian.com/browse/CRUC-5735
3) Vulnerability in Crucible changeset comments in search results, affecting Crucible 2.3.0 to 2.5.0.
See issue
http://jira.atlassian.com/browse/CRUC-5736
4) Vulnerability in Crucible comments search, affecting Crucible 2.2.6 to 2.5.0.
See issue
http://jira.atlassian.com/browse/CRUC-5737
5) Vulnerability in FishEye/Crucible dashboard - review activity, affecting FishEye/Crucible 2.2.8 to 2.5.2.
See issue
http://jira.atlassian.com/browse/FE-3031
6) Vulnerability in FishEye reviews list, affecting FishEye 2.2.8 - 2.5.2.
See issue
http://jira.atlassian.com/browse/FE-3032
Risk Mitigation -- We recommend that you upgrade your FishEye/Crucible installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your instance until you have applied the upgrade. For even tighter control, you could restrict access to trusted groups.
Fix -- FishEye/Crucible 2.5.4 fixes all of these issues. View the issues linked above for information on earlier fix versions for each issue. For a full description of this release, see the release notes (
http://confluence.atlassian.com/display/FISHEYE/FishEye+2.5+Changelog and
http://confluence.atlassian.com/display/CRUCIBLE/Crucible+2.5+Changelog). You can download the latest version of FishEye/Crucible from the download centre (
http://www.atlassian.com/software/fisheye/FishEyeDownloadCenter.jspa and
http://www.atlassian.com/software/crucible/CrucibleDownloadCenter.jspa).
Patches -- There are no patches available to fix these vulnerabilities. You must upgrade your FishEye/Crucible installation.
Our thanks to Marian Ventuneac of
http://www.ventuneac.net, who reported FE-3031 and FE-3032. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Securely yours,
Atlassian
