Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-4016

FishEye XML Vulnerability


      We have identified and fixed a vulnerability in FishEye/Crucible that results from the way third-party XML parsers are used in FishEye/Crucible.

      This vulnerability allows an attacker to:

      • Execute denial of service attacks against the FishEye and Crucible server, and
      • Read all local files readable to the system user under which FishEye and Crucible runs.

      An attacker does not need to have an account with the affected FishEye or Crucible server to exploit this vulnerability.
      All versions of FishEye/Crucible up to and including 2.7.11 are affected.

      Fixed versions of FishEye/Crucible are:

      • FishEye and Crucible 2.7.12 for FishEye and Crucible 2.7.11
      • FishEye and Crucible 2.6.8 for FishEye and Crucible 2.6.7
      • FishEye and Crucible 2.5.8 for FishEye and Crucible 2.5.7

      There are no patches available.

      This issue is reported in our security advisories on these pages:
      FishEye: http://confluence.atlassian.com/x/jgK7E
      Crucible: http://confluence.atlassian.com/x/mQK7E

            vosipov VitalyA
            pwatson paulwatson (Inactive)
            0 Vote for this issue
            2 Start watching this issue