CVE-2017-18035 in FishEye
Summary
by MITRE
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/01/2020
The vulnerability identified as CVE-2017-18035 affects Atlassian Fisheye and Crucible platforms prior to versions 4.5.1 and 4.6.0 respectively. This represents a critical authorization bypass flaw that undermines the security model of these source code review and repository management tools. The vulnerability exists within the REST API endpoint /rest/review-coverage-chart/1.0/data/<repository_name>/.json which is designed to provide review coverage statistics for repositories. The flaw stems from insufficient access controls that fail to verify whether remote attackers possess proper authorization rights before granting access to repository-specific data. This missing permissions check creates a significant information disclosure risk that extends beyond the intended security boundaries of the application.
The technical implementation of this vulnerability allows unauthenticated or unauthorized users to perform reconnaissance activities against repository structures within the Fisheye and Crucible environment. Attackers can exploit this flaw by making direct requests to the affected API endpoint using the repository name as a parameter, thereby gaining knowledge about repository existence and accessing review coverage statistics without proper authentication. This type of vulnerability falls under CWE-284 which specifically addresses improper access control mechanisms, and represents a classic case of insufficient authorization checks in web applications. The impact extends beyond simple information disclosure as it enables attackers to map repository structures and understand the code review processes within the organization, potentially facilitating more sophisticated attacks against the underlying source code management infrastructure.
The operational consequences of this vulnerability are severe for organizations relying on Atlassian Fisheye and Crucible for their code review workflows and source code management. Attackers can use this information to identify sensitive repositories, understand code review coverage patterns, and potentially target specific code areas for further exploitation. The vulnerability directly violates the principle of least privilege and provides attackers with intelligence that could be leveraged in subsequent attack phases. From an ATT&CK framework perspective, this vulnerability maps to the reconnaissance phase where adversaries gather information about the target environment, specifically using the T1069.001 technique for permission groups and T1083 technique for file and directory discovery. Organizations may experience cascading security impacts as attackers can use the discovered repository information to plan more targeted attacks against specific codebases or development teams.
Organizations should immediately implement the vendor-provided patches for Fisheye and Crucible versions 4.5.1 and 4.6.0 respectively to remediate this vulnerability. In the interim, administrators should consider implementing network-level restrictions to limit access to the affected REST endpoints, particularly for untrusted networks. Additional mitigations include enabling proper authentication mechanisms, implementing web application firewalls to monitor and block suspicious API requests, and conducting comprehensive access control reviews to ensure that only authorized users can access repository information. Security monitoring should be enhanced to detect unusual patterns of repository enumeration attempts, and regular security audits should be performed to verify that access controls remain properly configured. The vulnerability demonstrates the critical importance of proper access control implementation in web applications and highlights the need for thorough security testing of API endpoints that handle sensitive operational data.