Description
Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system. All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://confluence.atlassian.com/x/aS5sO
Patch, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/CRUC-8181
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103665
Vendor Advisory x_refsource_confirm
https://confluence.atlassian.com/x/Zi5sO
Patch, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/FE-7014
Scores
CVSS v3
7.2
EPSS
0.0091
EPSS Percentile
76.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (2)
atlassian/crucible
4.4.0 - 4.4.6
atlassian/fisheye
4.4.0 - 4.4.6
Published
Mar 29, 2018
Tracked Since
Feb 18, 2026