CVE-2020-14190 : What You Need to Know
Learn about CVE-2020-14190 affecting Atlassian Fisheye/Crucible versions before 4.8.4. Discover the impact, technical details, and mitigation steps for this Regex Denial of Service vulnerability.
Atlassian Fisheye and Crucible versions before 4.8.4 are vulnerable to Regex Denial of Service attacks via user-supplied regex in EyeQL.
Understanding CVE-2020-14190
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL.
What is CVE-2020-14190?
CVE-2020-14190 is a vulnerability in Atlassian Fisheye and Crucible that enables remote attackers to conduct Regex Denial of Service attacks by exploiting user-supplied regex in EyeQL.
The Impact of CVE-2020-14190
The vulnerability allows remote attackers to trigger Regex Denial of Service, potentially leading to service disruption and denial of access to affected systems.
Technical Details of CVE-2020-14190
Affected Systems and Versions
- Products: Atlassian Fisheye, Atlassian Crucible
- Vendor: Atlassian
- Versions Affected: Before 4.8.4
Vulnerability Description
- Type: Regex Denial of Service (ReDoS)
- Exploitation: Remote attackers can exploit user-supplied regex in EyeQL to achieve ReDoS.
Affected Systems and Versions
- Atlassian Fisheye versions before 4.8.4
- Atlassian Crucible versions before 4.8.4
Exploitation Mechanism
- Attackers can achieve Regex Denial of Service by utilizing user-supplied regex in EyeQL.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade Atlassian Fisheye and Crucible to version 4.8.4 or later.
- Implement input validation to prevent malicious regex patterns.
Long-Term Security Practices
- Regularly update and patch software to mitigate known vulnerabilities.
- Monitor and restrict user input to prevent malicious regex exploitation.
Patching and Updates
- Apply security patches provided by Atlassian to address the vulnerability.