We have identified and fixed a vulnerability in FishEye/Crucible that results from the way third-party XML parsers are used in FishEye/Crucible.

      This vulnerability allows an attacker to:

      • Execute denial of service attacks against the FishEye and Crucible server, and
      • Read all local files readable to the system user under which FishEye and Crucible runs.

      An attacker does not need to have an account with the affected FishEye or Crucible server to exploit this vulnerability.
      All versions of FishEye/Crucible up to and including 2.7.11 are affected.

      Fixed versions of FishEye/Crucible are:

      • FishEye and Crucible 2.7.12 for FishEye and Crucible 2.7.11
      • FishEye and Crucible 2.6.8 for FishEye and Crucible 2.6.7
      • FishEye and Crucible 2.5.8 for FishEye and Crucible 2.5.7

      There are no patches available.

      This issue is reported in our security advisories on these pages:
      FishEye: http://confluence.atlassian.com/x/jgK7E
      Crucible: http://confluence.atlassian.com/x/mQK7E

            [FE-4016] FishEye XML Vulnerability

            There are no comments yet on this issue.

              vosipov VitalyA
              pwatson paulwatson (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: