Atlassian Crucible 3.x < 3.0.4 / 3.1.7 / 3.2.5 / 3.3.4 / 3.4.4 Administrator Password Reset

high Nessus Plugin ID 77158

Synopsis

The version of Atlassian Crucible installed on the remote host is potentially affected by an administrator password reset flaw.

Description

According to its self-reported version, the installation of Atlassian Crucible running on the remote host is potentially affected by a flaw in which a remote, unauthenticated user is able to set the 'admin' user for Crucible to an arbitrary value. This can allow an attacker to gain administrative access to the application.

Solution

Upgrade to Crucible 3.0.4 / 3.1.7 / 3.2.5 / 3.3.4 / 3.4.4 or later.

See Also

http://www.nessus.org/u?09a8ff3e

https://jira.atlassian.com/browse/CRUC-6810

Plugin Details

Severity: High

ID: 77158

File Name: crucible_3_0_4.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 8/12/2014

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:atlassian:crucible

Required KB Items: Settings/ParanoidReport, installed_sw/crucible

Exploit Ease: No known exploits are available

Patch Publication Date: 5/21/2014

Vulnerability Publication Date: 5/14/2014

Reference Information

BID: 67618