Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8112

XSS in the administration user deletion resource through the uname parameter - CVE-2017-14587

XMLWordPrintable

      The administration user deletion resource in Atlassian FishEye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.

            [CRUC-8112] XSS in the administration user deletion resource through the uname parameter - CVE-2017-14587

            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2941656 ] New: JAC Bug Workflow v3 [ 2953998 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2448980 ] New: FE-CRUC Bug Workflow [ 2941656 ]

            David Black added a comment - - edited

            security+atlassian1282683442 you can setup a Jira filter to email you about the release of non-critical security issues, that is issues with at least the following labels - [advisory-released, advisory, security].

            David Black added a comment - - edited security+atlassian1282683442 you can setup a Jira filter to email you about the release of non-critical security issues, that is issues with at least the following labels - [advisory-released, advisory, security] .

            Security Team at Clearvision added a comment -

            Thank you for getting back to us dblack.

            I understand that this is considered Medium per Atlassian assessment.
            Is there any channel (e-mail, rss, etc) that any security issue can be tracked besides this instance of JIRA?
            Thank you.

            Cheers!

             

            p.s.  http://go.atlassian.com/cvss redirects to https://atlassian.my.centrify.com so I'm assuming that isn't public

            Security Team at Clearvision added a comment - Thank you for getting back to us dblack . I understand that this is considered Medium per Atlassian assessment. Is there any channel (e-mail, rss, etc) that any security issue can be tracked besides this instance of JIRA? Thank you. Cheers!   p.s.  http://go.atlassian.com/cvss  redirects to https://atlassian.my.centrify.com  so I'm assuming that isn't public

            David Black added a comment -

            security+atlassian1282683442 https://www.atlassian.com/trust/security shows advisory publication information generally only for critical security issues. This issue is where a bug that has been fixed has been released.

            David Black added a comment - security+atlassian1282683442 https://www.atlassian.com/trust/security shows advisory publication information generally only for critical security issues. This issue is where a bug that has been fixed has been released.

            Security Team at Clearvision added a comment -

            Hi dblack,
            https://www.atlassian.com/trust/security is not showing any Security Advisory for this one ?
            Can you confirmed where this was made public ?

            Thank you.

             

            Kind regards

            Security Team at Clearvision added a comment - Hi dblack , https://www.atlassian.com/trust/security is not showing any Security Advisory for this one ? Can you confirmed where this was made public ? Thank you.   Kind regards
            David Black made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]
            David Black made changes -
            Fix Version/s New: 4.5.0 [ 72296 ]
            Fix Version/s New: 4.4.2 [ 72295 ]
            Fix Version/s Original: 4.4.2 [ 72094 ]
            Fix Version/s Original: 4.5.0 [ 71891 ]
            Key Original: FE-6934 New: CRUC-8112
            Project Original: FishEye [ 11830 ] New: Crucible [ 11771 ]

            David Black added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 5.4 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability None

            See http://go.atlassian.com/cvss for more details.

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
            David Black made changes -
            Link New: This issue is detailed by FECRU-7292 [ FECRU-7292 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: