[CRUC-8156] Remote code execution through OGNL double evaluation - CVE-2017-16861 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 4.4.5, 4.5.2
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible.

Affected versions:

All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability.

Fix:

Fisheye version 4.5.2 is available to download from https://www.atlassian.com/software/fisheye/download.
Crucible version 4.5.2 is available to download from https://www.atlassian.com/software/crucible/download.
Fisheye version 4.4.5 is available to download from https://www.atlassian.com/software/fisheye/download-archives.
Crucible version 4.4.5 is available to download from https://www.atlassian.com/software/fisheye/download-archives.

For additional details see the full advisory.

relates to

FE-6991 Remote code execution through OGNL double evaluation - CVE-2017-16861

Closed

SECENG-1086 Failed to load

mentioned in: Page Failed to load

David Black added a comment - 08/Jan/2018 4:35 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 10.0 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

David Black added a comment - 08/Jan/2018 4:35 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 10.0 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 08/Jan/2018 4:34 AM

Updated:: 06/Dec/2019 3:40 AM

Resolved:: 18/Jan/2018 5:05 PM

Crucible

Details

Description

Attachments

Issue Links

Forms

Activity

[CRUC-8156] Remote code execution through OGNL double evaluation - CVE-2017-16861

Collapse comment: David Black added a comment - 08/Jan/2018 4:35 AM, Edited by David Black - 22/Jan/2018 10:56 PM

Expand comment: David Black added a comment - 08/Jan/2018 4:35 AM, Edited by David Black - 22/Jan/2018 10:56 PM

People

Dates