[FE-6892] mostActiveCommitters.do lacks permission checks - CVE-2017-9512 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 4.4.1
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.

was cloned as

CRUC-8053 mostActiveCommitters.do lacks permission checks - CVE-2017-9512

Closed

Hasnae (Inactive) made changes - 20/Dec/2019 5:08 AM

Labels

Original: CVE-2017-9512 advisory-released cvss-medium security

New: CVE-2017-9512 advisory-released cvss-medium information-disclosure security

Said made changes - 10/Dec/2019 4:11 AM

Labels

Original: CVE-2017-9512 advisory-released cvss-medium patch-management security

New: CVE-2017-9512 advisory-released cvss-medium security

Said made changes - 10/Dec/2019 4:11 AM

Labels

Original: CVE-2017-9512 advisory-released cvss-medium security

New: CVE-2017-9512 advisory-released cvss-medium patch-management security

Owen made changes - 16/Oct/2018 8:16 AM

Workflow

Original: FE-CRUC Bug Workflow [ 2944979 ]

New: JAC Bug Workflow v3 [ 2957225 ]

Owen made changes - 16/Oct/2018 4:43 AM

Workflow

Original: FECRU Development Workflow - Triage - Restricted [ 2409600 ]

New: FE-CRUC Bug Workflow [ 2944979 ]

David Black made changes - 29/Jan/2018 6:31 AM

Remote Link

Original: This issue links to "Page (Extranet)" [ 314231 ]

David Black made changes - 24/Aug/2017 11:41 AM

Description

Original: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses and other committer information, as it lacked permission checks.

New: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.

David Black made changes - 24/Aug/2017 11:40 AM

Labels

Original: advisory-released cvss-medium security

New: CVE-2017-9512 advisory-released cvss-medium security

David Black made changes - 24/Aug/2017 11:40 AM

Summary

Original: mostActiveCommitters.do available to anonymous users

New: mostActiveCommitters.do lacks permission checks - CVE-2017-9512

David Black added a comment - 24/Aug/2017 11:38 AM

CVSS v3 score: 5.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

David Black added a comment - 24/Aug/2017 11:38 AM CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Piotr Swiecicki

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 17/Jul/2017 9:06 AM

Updated:: 20/Dec/2019 5:08 AM

Resolved:: 17/Jul/2017 9:07 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[FE-6892] mostActiveCommitters.do lacks permission checks - CVE-2017-9512

Collapse comment: David Black added a comment - 24/Aug/2017 11:38 AM

Expand comment: David Black added a comment - 24/Aug/2017 11:38 AM

People

Dates