• Customers  who have downloaded and installed FishEye should upgrade their existing FishEye installations. 

The vulnerability affects FishEye version 3.x.

Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.

Administrator password reset

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

An unauthenticated user is able to set the admin password of FishEye to any value, gaining admin access to the FishEye instance as a result.

The vulnerability affects FishEye version 3.x. Versions earlier than 3.0 are not vulnerable. The vulnerability has been fixed in recent releases 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4.

The issue is tracked in  FE-5208 - Getting issue details... STATUS .

Risk Mitigation

If you are unable to upgrade your FishEye server you can do the following as a temporary workaround:

• Disallow external HTTP(S) access to your FishEye server.

Fix

This vulnerability can also be fixed by upgrading FishEye to one of the following versions: 3.0.4, 3.1.7, 3.2.5, 3.3.4, 3.4.4. You can download these versions of Fisheye from the download center. There are no patches available.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.