CVE-2017-16859

MEDIUM

Atlassian Crucible and Fisheye < 4.3.2, 4.4.0-4.4.3 - Path Traversal via Review Attachment Command Parameter

Title source: llm

Description

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter.

References (3)

Core 3

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://jira.atlassian.com/browse/CRUC-8212

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/104578

Issue Tracking, Third Party Advisory x_refsource_confirm

https://jira.atlassian.com/browse/FE-7061

Scores

CVSS v3 6.5

EPSS 0.0129

EPSS Percentile 79.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

atlassian/crucible < 4.3.2

atlassian/fisheye < 4.3.2

Published Jun 28, 2018

Tracked Since Feb 18, 2026