Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7061

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

XMLWordPrintable

      The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter.

            [FE-7061] Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

            Richard Atkins made changes -
            Labels Original: CVE-2017-16859 advisory advisory-released cvss-high path-traversal security New: CVE-2017-16859 advisory advisory-released cvss-high idor path-traversal security
            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2942976 ] New: JAC Bug Workflow v3 [ 2957994 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2706144 ] New: FE-CRUC Bug Workflow [ 2942976 ]
            David Black made changes -
            Labels Original: CVE-2017-16859 advisory advisory-to-release cvss-high path-traversal security New: CVE-2017-16859 advisory advisory-released cvss-high path-traversal security

            David Black added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 7.7 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity None
            Availability None

            See http://go.atlassian.com/cvss for more details.

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.7 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity None Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
            David Black made changes -
            Labels Original: advisory advisory-to-release cvss-high path-traversal security New: CVE-2017-16859 advisory advisory-to-release cvss-high path-traversal security
            David Black made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]
            David Black made changes -
            Fix Version/s New: 4.5.0 [ 71891 ]
            Fix Version/s New: 4.4.3 [ 73503 ]
            Fix Version/s New: 4.3.2 [ 67297 ]
            Fix Version/s Original: 4.3.2 [ 67298 ]
            Fix Version/s Original: 4.5.0 [ 72296 ]
            Fix Version/s Original: 4.4.3 [ 73502 ]
            Key Original: CRUC-8213 New: FE-7061
            Affects Version/s New: 4.4.1 [ 70801 ]
            Affects Version/s New: 4.2.1 [ 64120 ]
            Affects Version/s New: 3.2.0 [ 34893 ]
            Affects Version/s Original: 3.2.0 [ 35490 ]
            Affects Version/s Original: 4.2.1 [ 64617 ]
            Affects Version/s Original: 4.4.1 [ 70800 ]
            Project Original: Crucible [ 11771 ] New: FishEye [ 11830 ]
            David Black made changes -
            Link New: This issue is detailed by FECRU-7456 [ FECRU-7456 ]
            David Black made changes -
            Link New: This issue is cloned from CRUC-8212 [ CRUC-8212 ]

              Unassigned Unassigned
              mtokarski@atlassian.com Marek Tokarski
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: