Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8053

mostActiveCommitters.do lacks permission checks - CVE-2017-9512

XMLWordPrintable

      The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.

          Form Name

            [CRUC-8053] mostActiveCommitters.do lacks permission checks - CVE-2017-9512

            Said made changes -
            Labels Original: CVE-2017-9512 advisory-released cvss-medium security New: CVE-2017-9512 advisory-released basm cvss-medium security
            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2941990 ] New: JAC Bug Workflow v3 [ 2954369 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2409601 ] New: FE-CRUC Bug Workflow [ 2941990 ]
            David Black made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 314234 ]
            David Black made changes -
            Description Original: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses and other committer information, as it lacked permission checks. New: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.
            David Black made changes -
            Labels Original: advisory-released cvss-medium security New: CVE-2017-9512 advisory-released cvss-medium security
            David Black made changes -
            Summary Original: mostActiveCommitters.do available to anonymous users New: mostActiveCommitters.do lacks permission checks - CVE-2017-9512
            David Black made changes -
            Description Original: Anonymous users have access to the mostActiveCommitters.do which leaks some sensitive information (such as email addresses). New: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses and other committer information, as it lacked permission checks.
            David Black made changes -
            Remote Link New: This issue links to "Page (Extranet)" [ 314234 ]
            Piotr Swiecicki made changes -
            Labels Original: advisory-released cvss-medium fecru-published security New: advisory-released cvss-medium security

              Unassigned Unassigned
              pswiecicki Piotr Swiecicki
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: