Dear customers,
We are writing to inform you of newly-discovered security vulnerabilities that we have found in GreenHopper and fixed in a recent version of GreenHopper.
* Customers who have downloaded and installed GreenHopper should upgrade their existing GreenHopper plugin to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com in the "Enterprise Hosting Support" project.
* Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
https://confluence.atlassian.com/display/GH/GreenHopper+Security+Advisory+2012-08-21.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security advisory ***
*XSS Vulnerabilities*
Severity -- Atlassian rates the severity level of these vulnerabilities as High, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/JIRA/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. These vulnerabilities are not of Critical severity.
Description -- We have identified and fixed several reflected and persisted cross-site scripting (XSS) vulnerabilities that affect GreenHopper instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a GreenHopper page. You can read more about XSS attacks at
http://www.cgisecurity.com/articles/xss-faq.shtml, http://projects.webappsec.org/Cross-Site+Scripting and other places on the web. These vulnerabilities affect all supported versions of GreenHopper, and have been fixed in GreenHopper 5.9.8. This issue can be tracked here:
http://jira.atlassian.com/browse/GHS-5642
Risk Mitigation -- We strongly recommend upgrading your GreenHopper installation to fix these vulnerability. Please see the 'Fix' section below.
Fix -- Upgrade. The vulnerabilities and fix versions are described in the 'Description' section above. We recommend that you upgrade to the latest version of GreenHopper, if possible. For a full description of the latest version of GreenHopper, see the release notes:
https://confluence.atlassian.com/display/GH/GreenHopper+Releases. You can download the latest version of GreenHopper from the download centre:
http://www.atlassian.com/software/greenhopper/download-addons. Patches are not available for this vulnerability.
Kind regards,
Atlassian
