Unrated severityNVD Advisory· Published Feb 1, 2018· Updated Sep 16, 2024

CVE-2017-16861

Description

It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability.

Affected products

Atlassian/Fisheye and Cruciblecpe-rescue
Range: prior to 4.4.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/102971mitrevdb-entryx_refsource_BID
confluence.atlassian.com/x/h-QyOmitrex_refsource_MISC
confluence.atlassian.com/x/iPQyOmitrex_refsource_MISC
jira.atlassian.com/browse/CRUC-8156mitrex_refsource_MISC
jira.atlassian.com/browse/FE-6991mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000