High An unauthenticated user is able to set the admin password of FishEye to any value, gaining admin access to the FishEye instance as a result.
The vulnerability affects FishEye version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4, 3.5.0.
For additional details see the full advisory
- mentioned in
-
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page")
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page Loading...
-
-
-
-
-
-
-
-
-
[FE-5208] Administrator password reset
Jarno Muurimäki
added a comment - Vitaly, I know the issue hasn't been openly discussed (at least here), but I feel some sort of "heads up" warning for the paranoid would be in order in situations like these. Anyway, thanks for patching it quickly.
Jarno Muurimäki
added a comment - Vitaly, I know the issue hasn't been openly discussed (at least here), but I feel some sort of "heads up" warning for the paranoid would be in order in situations like these. Anyway, thanks for patching it quickly. Jarno, this issue has had view restrictions removed only today. Check JIRA's "issue level security" feature at https://confluence.atlassian.com/display/JIRA/Configuring+Issue-level+Security.
Jarno Muurimäki
added a comment - This has been out in the open for a week and only now you're notifying customers?
Jarno Muurimäki
added a comment - This has been out in the open for a week and only now you're notifying customers?
Almost all security issues we fix, including this one, are discovered by ourselves at Atlassian. If we hear of an actual attack in the wild, we turn the patch around within days. There would certainly have been a heads up message as well.