CVE-2017-16861

Name of the Vulnerable Software and Affected Versions: Fisheye versions prior to 4.4.5 Fisheye versions 4.5.0 through 4.5.1 Crucible versions prior to 4.4.5 Crucible versions 4.5.0 through 4.5.1

Description: The issue allows for double OGNL evaluation in certain redirect actions and in WebWork URL and Anchor tags in JSP files. An attacker with access to the web interface of Fisheye or Crucible, or who hosts a website visited by a user with such access, can exploit this to execute Java code of their choice on systems running a vulnerable version.

Recommendations: For Fisheye versions prior to 4.4.5, update to version 4.4.5 or later. For Fisheye versions 4.5.0 through 4.5.1, update to version 4.5.2 or later. For Crucible versions prior to 4.4.5, update to version 4.4.5 or later. For Crucible versions 4.5.0 through 4.5.1, update to version 4.5.2 or later.