PT-2018-16814 · Atlassian+2 · Crucible+3
Zhang Tianqi
·
Published
2018-03-29
·
Updated
2018-04-24
·
CVE-2018-5223
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Fisheye versions prior to 4.4.6
Fisheye versions 4.5.0 through 4.5.2
Crucible versions prior to 4.4.6
Crucible versions 4.5.0 through 4.5.2
Description
The issue arises from incorrect checking of configured Mercurial repository URIs in Fisheye and Crucible, allowing an attacker with repository addition permissions to execute arbitrary code on Windows operating systems running vulnerable versions of the software.
Recommendations
For Fisheye versions prior to 4.4.6, update to version 4.4.6 or later.
For Fisheye versions 4.5.0 through 4.5.2, update to version 4.5.3 or later.
For Crucible versions prior to 4.4.6, update to version 4.4.6 or later.
For Crucible versions 4.5.0 through 4.5.2, update to version 4.5.3 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crucible
Fisheye
Mercurial
Windows