FishEye 2.5 : FishEye Security Advisory 2010-05-04
This page last changed on May 03, 2010 by edawson.
In this advisory: Admin Escalation VulnerabilitySeverityAtlassian rates this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed an admin escalation vulnerability, which affects FishEye instances. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of FishEye. VulnerabilityThis vulnerability allows a motivated attacker to perform admin actions. All versions of FishEye from version 1.6.0-beta2 (including 1.6.0) through to 2.2.1 are affected by these admin escalation vulnerabilities.
Risk MitigationWe strongly recommend either upgrading or patching your FishEye installation to fix this vulnerability. Please see the 'Fix' section below.
FixThese issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre. Later versions will include protection from this vulnerability. This fix is also provided as a patch for FishEye 2.1.4, 2.0.6 and 1.6.6, which you can download from this page. Customers on earlier point versions of FishEye will have to upgrade to version 2.1.4, 2.0.6 or 1.6.6 before applying the patch. We recommend you upgrade to FishEye 2.2.3. XSS Vulnerabilities in FishEyeSeverityAtlassian rates these vulnerabilities as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed several cross-site scripting (XSS) vulnerabilities in FishEye, which may affect FishEye instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of FishEye.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. VulnerabilityAll versions of FishEye are affected by these XSS vulnerabilities.
Risk MitigationWe strongly recommend upgrading your FishEye installation to fix these vulnerabilities. Please see the 'Fix' section below. FixThese issues have been fixed in FishEye 2.2.3 (see the changelog), which you can download from the download centre. Prevention of Brute Force AttacksSeverityAtlassian rates this vulnerability as moderate, according to the scale published in Severity Levels for Security Issues. Risk AssessmentWe have improved the security of the following areas in FishEye:
VulnerabilityWe have identified and fixed a problem where FishEye allows an unlimited number of repeated login attempts, potentially opening FishEye to a brute force attack. Details of this improvement are summarised below.
Risk MitigationWe recommend that you upgrade your FishEye installation to fix these vulnerabilities. Please see the 'fix' section below. You can also prevent brute force attacks by following our guidelines on using Fail2Ban to limit login attempts. FixThis issue has been fixed in FishEye 2.2.3 (see the changelog). Later versions will include protection from this vulnerability. You can download FishEye 2.2.3 from the download centre. Changed Behaviour in FishEyeIn order to fix these issues, we have changed FishEye's behaviour as follows:
Download Patches for Earlier FishEye / Crucible Versions
These patches fix the Admin Escalation vulnerability only. Please note that these patches are for specific older point versions of FishEye (2.1.4, 2.0.6 or 1.6.6). If you are running an earlier version than these, you will need to upgrade to a version specifically addressed by one of these patches. To update a more recent version of the product (2.1.5 through 2.2.1), please upgrade to FishEye 2.2.3 or later. Atlassian strongly recommends that you upgrade to FishEye 2.2.3 or later. MD5 checksums are provided to allow verification of the downloaded files. Patch for FishEye / Crucible 2.1.4
Patch for FishEye / Crucible 2.0.6
Patch for FishEye 1.6.6
Patch for Crucible 1.6.6
|
![]() |
Document generated by Confluence on Apr 03, 2011 23:09 |