FishEye 2.4 : FishEye Security Advisory 2010-10-20
This page last changed on Oct 20, 2010 by alui.
This advisory announces a number of security vulnerabilities in earlier versions of FishEye that we have found and fixed in FishEye 2.4 and FishEye 2.3.7. In addition to releasing FishEye 2.4 and FishEye 2.3.7, we also provide a patch for the vulnerabilities mentioned below. You will be able to apply this patch to existing installations of FishEye 2.3.6. However, we recommend that you upgrade to FishEye 2.4 to fix these vulnerabilities. In this advisory: XSS VulnerabilitiesSeverityAtlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect FishEye instances, including publicly available instances.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. VulnerabilitiesThe table below describes the parts of FishEye affected by the XSS vulnerabilities.
Risk MitigationWe recommend that you upgrade your FishEye installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the 'Code Metrics Plugin' via the Administration Console ('Plugins' menu item under 'Systems Settings') to mitigate the Code Metrics Plugin XSS vulnerability. There is no mitigation for the FishEye Revision ID Parameters on Annotated Views XSS vulnerability. FixFishEye-only installations: If you cannot upgrade to FishEye 2.4/2.3.7, you can patch your existing installation using the patch listed below. FishEye+Crucible installations: If you cannot upgrade to Crucible 2.4/2.3.7, you can patch your existing installation using the patch listed below. Available PatchesIf for some reason you cannot upgrade to FishEye 2.4/2.3.7 or Crucible 2.4/2.3.7, you can apply the following patch to fix the vulnerabilities described in this security advisory. Step 1 of the Patch Procedure: Install the PatchA patch is available for FishEye/Crucible 2.3.6 only. The patch addresses the following issue:
|
![]() |
Document generated by Confluence on Oct 21, 2010 00:41 |