Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-4016

FishEye XML Vulnerability

    XMLWordPrintable

    Details

      Description

      We have identified and fixed a vulnerability in FishEye/Crucible that results from the way third-party XML parsers are used in FishEye/Crucible.

      This vulnerability allows an attacker to:

      • Execute denial of service attacks against the FishEye and Crucible server, and
      • Read all local files readable to the system user under which FishEye and Crucible runs.

      An attacker does not need to have an account with the affected FishEye or Crucible server to exploit this vulnerability.
      All versions of FishEye/Crucible up to and including 2.7.11 are affected.

      Fixed versions of FishEye/Crucible are:

      • FishEye and Crucible 2.7.12 for FishEye and Crucible 2.7.11
      • FishEye and Crucible 2.6.8 for FishEye and Crucible 2.6.7
      • FishEye and Crucible 2.5.8 for FishEye and Crucible 2.5.7

      There are no patches available.

      This issue is reported in our security advisories on these pages:
      FishEye: http://confluence.atlassian.com/x/jgK7E
      Crucible: http://confluence.atlassian.com/x/mQK7E

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vosipov Vitaly Osipov [Atlassian]
              Reporter:
              pwatson Paul Watson (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: