CVE-2017-16861 — Atlassian Crucible vulnerability

3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 31.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Crucible Atlassian Fisheye Atlassian Fisheye AND Crucible

Timeline

PublishedFeb 1

Latest updateMay 13

Description

It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed vers…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5atlassian/fisheye_and_crucible4.5.0 prior to 4.5.2, prior to 4.4.5+1

▶NVDatlassian/fisheye4.5.0 — 4.5.2+1

▶NVDatlassian/crucible4.5.0 — 4.5.2+1

🔴Vulnerability Details

GHSA

GHSA-cv2h-wxc2-2v4j: It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur↗2022-05-13

▶

CVEList

CVE-2017-16861: It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur↗2018-02-01

▶