Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system.

Affected versions:

• All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability.

Fix:

• Fisheye version 4.5.3 is available to download from https://www.atlassian.com/software/fisheye/download.
• Crucible version 4.5.3 is available to download from https://www.atlassian.com/software/crucible/download.
• Fisheye version 4.4.6 is available to download from https://www.atlassian.com/software/fisheye/download-archives.
• Crucible version 4.4.6 is available to download from https://www.atlassian.com/software/crucible/download-archives.

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.