CVE-2017-16861
CRITICALAtlassian Fisheye and Crucible < 4.4.5 and 4.5.0-4.5.1 - Remote Code Execution via Double OGNL Evaluation
Title source: llmDescription
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/CRUC-8156
Vendor Advisory x_refsource_misc
https://confluence.atlassian.com/x/h-QyO
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102971
Vendor Advisory x_refsource_misc
https://confluence.atlassian.com/x/iPQyO
Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/FE-6991
Scores
CVSS v3
9.8
EPSS
0.0056
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
atlassian/crucible
< 4.4.5
atlassian/fisheye
< 4.4.5
Published
Feb 01, 2018
Tracked Since
Feb 18, 2026