First published: Thu Feb 01 2018(Updated: )
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian FishEye | <4.4.5 | |
Atlassian FishEye | >=4.5.0<4.5.2 | |
Atlassian Crucible | <4.4.5 | |
Atlassian Crucible | >=4.5.0<4.5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2017-16861.
The severity of CVE-2017-16861 is critical with a CVSS score of 9.8.
CVE-2017-16861 affects Atlassian FishEye and Crucible versions up to 4.4.5 and versions between 4.5.0 and 4.5.2.
An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to perform double OGNL evaluation, leading to potential remote code execution or other security exploits.
To mitigate CVE-2017-16861, it is recommended to upgrade Atlassian FishEye and Crucible to versions 4.4.6 or 4.5.3 or later.