Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-6892

mostActiveCommitters.do lacks permission checks - CVE-2017-9512

XMLWordPrintable

      The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.

            [FE-6892] mostActiveCommitters.do lacks permission checks - CVE-2017-9512

            Hasnae (Inactive) made changes -
            Labels Original: CVE-2017-9512 advisory-released cvss-medium security New: CVE-2017-9512 advisory-released cvss-medium information-disclosure security
            Said made changes -
            Labels Original: CVE-2017-9512 advisory-released cvss-medium patch-management security New: CVE-2017-9512 advisory-released cvss-medium security
            Said made changes -
            Labels Original: CVE-2017-9512 advisory-released cvss-medium security New: CVE-2017-9512 advisory-released cvss-medium patch-management security
            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2944979 ] New: JAC Bug Workflow v3 [ 2957225 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2409600 ] New: FE-CRUC Bug Workflow [ 2944979 ]
            David Black made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 314231 ]
            David Black made changes -
            Description Original: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses and other committer information, as it lacked permission checks. New: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.
            David Black made changes -
            Labels Original: advisory-released cvss-medium security New: CVE-2017-9512 advisory-released cvss-medium security
            David Black made changes -
            Summary Original: mostActiveCommitters.do available to anonymous users New: mostActiveCommitters.do lacks permission checks - CVE-2017-9512
            David Black made changes -
            Description Original: Anonymous users have access to the mostActiveCommitters.do which leaks some sensitive information (such as email addresses). New: The mostActiveCommitters.do resource in Atlassian FishEye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses and other committer information, as it lacked permission checks.

              Unassigned Unassigned
              pswiecicki Piotr Swiecicki
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: