According to our issue tracker, Atlassian Fisheye and Atlassian Crucible contained vulnerable versions of the Apache Commons FileUpload library noted in CVE-2016-1000031. However, our implementation of these libraries did not use the DiskFileItem class which was the attack vector in this advisory. Despite that, Fisheye and Crucible 4.7.0 now contain a patched version of the library.
There is no risk item for Jira and Confluence. The CVE only affects Fisheye and Crucible, which are not part of Jira or Confluence.
If you do not have Fisheye or Crucible installed (these are separate applications entirely), you do not need to take any action.
Hi Atlassian Community! This is Teresa from the Atlassian team. My colleague Paul Buffington @Buff and I are excited to share a brand new ITSM resource we’ve created – "The Complete Guide to At...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events