[CRUC-8181] Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5223 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 4.4.6, 4.5.3, 4.6.0
Affects Version/s: None
Component/s: Server administration
Labels:

Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system.

Affected versions:

All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability.

Fix:

Fisheye version 4.5.3 is available to download from https://www.atlassian.com/software/fisheye/download.
Crucible version 4.5.3 is available to download from https://www.atlassian.com/software/crucible/download.
Fisheye version 4.4.6 is available to download from https://www.atlassian.com/software/fisheye/download-archives.
Crucible version 4.4.6 is available to download from https://www.atlassian.com/software/crucible/download-archives.

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.

is related to

FE-7014 Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5223

Closed

relates to: SECENG-1271 Failed to load

David Black added a comment - 08/Mar/2018 2:31 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.1 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

David Black added a comment - 08/Mar/2018 2:31 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.1 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 08/Mar/2018 2:29 AM

Updated:: 05/Dec/2019 1:30 AM

Resolved:: 21/Mar/2018 1:16 PM

Crucible

Details

Description

Attachments

Issue Links

Forms

Activity

[CRUC-8181] Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5223

Collapse comment: David Black added a comment - 08/Mar/2018 2:31 AM

Expand comment: David Black added a comment - 08/Mar/2018 2:31 AM

People

Dates