How to remediate – Atlassian FishEye Detection

Contents

1. Introduction

Atlassian FishEye Detection indicates that a version control system interface is running on a remote web server. Atlassian FishEye provides a web-based interface for browsing and searching Git, Subversion, Mercurial, Perforce and other repositories. This can expose source code to unauthorized access if not properly secured. A successful exploit could lead to information disclosure.

2. Technical Explanation

The vulnerability lies in the presence of a publicly accessible FishEye instance. While not an inherent flaw in the software itself, its exposure creates a potential attack vector. An attacker can enumerate repositories and potentially access sensitive source code or commit history. There is no CVE associated with simply running FishEye; however, misconfigurations or unpatched versions may have additional vulnerabilities. A simple example would be an attacker browsing publicly accessible Git commits to find API keys or passwords.

Root cause: Publicly exposed Atlassian FishEye instance.
Exploit mechanism: An attacker accesses the web interface and enumerates repositories, potentially discovering sensitive information within commit history.
Scope: All systems running Atlassian FishEye are affected.

3. Detection and Assessment

Confirming a vulnerable system involves checking for the presence of the FishEye web interface. A quick check can be performed via a web browser, while thorough assessment requires examining network services and configurations.

Quick checks: Access the server’s IP address or hostname in a web browser. If FishEye is running, you should see the Atlassian FishEye login page.
Scanning: Nessus plugin 16839 can detect exposed FishEye instances. This is an example only and may require updates.
Logs and evidence: Web server access logs may show requests to the FishEye web interface (typically on port 80 or 443).

curl -I http://{target_ip}

4. Solution / Remediation Steps

The primary solution is to restrict access to the FishEye instance, or remove it if not required. These steps aim to minimize exposure and protect sensitive data.

4.1 Preparation

Services: Stop the Atlassian FishEye service if restricting access. A rollback plan is to restart the service with the original configuration.

4.2 Implementation

Step 1: Restrict network access using a firewall (e.g., iptables, Windows Firewall) to allow only authorized IP addresses or networks to connect to the FishEye server on ports 80 and 443.
Step 2: If FishEye is not required, uninstall it from the server.

4.3 Config or Code Example

Before

# iptables -L (showing all interfaces open)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             {target_ip}           dport 80
ACCEPT     tcp  --  anywhere             {target_ip}           dport 443

After

# iptables -L (showing only authorized IPs allowed)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  {authorized_ip}      {target_ip}           dport 80
ACCEPT     tcp  --  {authorized_ip}      {target_ip}           dport 443

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

Least privilege: Restrict network access to only authorized users and systems.
Network segmentation: Isolate sensitive services like FishEye on a separate network segment.

4.5 Automation (Optional)

# Example Ansible playbook snippet for restricting access via firewall
- name: Restrict FishEye Access
  firewalld:
    zone: public
    rich_rule: 'rule family="ipv4" source address="{{ authorized_ip }}" port protocol=tcp port=80 accept'
    permanent: true
    state: enabled

`5. Verification / Validation`

Confirm the fix by verifying that unauthorized access is blocked and authorized access remains functional.

Post-fix check: Attempt to access FishEye from an unauthorized IP address. You should receive a connection refused or timeout error.
Re-test: Repeat the quick check (web browser) from an unauthorized network to confirm access is denied.
Smoke test: Verify authorized users can still access FishEye if it remains in use.
Monitoring: Monitor firewall logs for blocked connections to ports 80 and 443 on the FishEye server.

curl -I http://{target_ip} (should return connection refused or timeout)

`6. Preventive Measures and Monitoring`

Implementing preventive measures can reduce the risk of future exposures.

Baselines: Update security baselines to include restrictions on exposing version control interfaces.
Asset and patch process: Regularly review asset inventories for unapproved or unnecessary services.

`7. Risks, Side Effects, and Roll Back`

Restricting access may impact legitimate users if not configured correctly.

Roll back: Remove the firewall rule(s) added in Step 1, or restart the Atlassian FishEye service with its original configuration.

`8. References and Resources`

Vendor advisory or bulletin: https://www.atlassian.com/software/fisheye
NVD or CVE entry: Not applicable (presence of service, not a specific vulnerability).
Product or platform documentation relevant to the fix: https://confluence.atlassian.com/adminfisheye/securing-fisheye-938847260.html

Updated on December 27, 2025

`Was this article helpful?`

Yes No

 Related Articles
 How to remediate – Zyxel Router Detection – Get Basic Information
 How to remediate – ZyXEL Routers Default Web Account
 How to remediate – Zyxel Unified Security Gateway (USG) Web Detection
 How to remediate – Zabbix Web Interface Default Administrator Credentials
 How to remediate – Zebra ZTC Printer Web Interface Default Admin Password
 How to remediate – Zebra ZTC Printer Web Interface Detection