Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Atlassian Crucible Server < 3.10.0 Multiple Vulnerabilities

Medium

Synopsis

The remote Crucible server is affected by multiple attack vectors.

Description

Versions of Crucible prior to 3.10.0 are affected by multiple vulnerabilities :

- An unspecified flaw may allow an attacker to bypass Cross-Site Request Forgery (CSRF) protection mechanisms and conduct CSRF attacks. No further details have been provided by the vendor. (OSVDB 132108) - A flaw exists as HTTP requests to certain pages do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to perform backup actions that may overwrite the existing backup file. (OSVDB 132179) - A flaw exists that is triggered when handling HTTP requests containing newline characters. This may allow a remote attacker to inject forged content into log files. (OSVDB 132180)

Solution

Upgrade to Crucible version 3.10.0 or later.