Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system.
- All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability.
- Fisheye version 4.5.3 is available to download from https://www.atlassian.com/software/fisheye/download.
- Crucible version 4.5.3 is available to download from https://www.atlassian.com/software/crucible/download.
- Fisheye version 4.4.6 is available to download from https://www.atlassian.com/software/fisheye/download-archives.
- Crucible version 4.4.6 is available to download from https://www.atlassian.com/software/crucible/download-archives.
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.
For additional details see the full advisory.