CVE-2018-5223

moderate-risk

Published 2018-03-29

Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system. All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability.

Do I need to act?

0.91% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (2)

Fisheye

Crucible

Affected Vendors

Atlassian

References (10)

Third Party Advisory http://www.securityfocus.com/bid/103665

Vendor Advisory https://confluence.atlassian.com/x/Zi5sO

Vendor Advisory https://confluence.atlassian.com/x/aS5sO

Patch https://jira.atlassian.com/browse/CRUC-8181

Patch https://jira.atlassian.com/browse/FE-7014

Third Party Advisory http://www.securityfocus.com/bid/103665

Vendor Advisory https://confluence.atlassian.com/x/Zi5sO

Vendor Advisory https://confluence.atlassian.com/x/aS5sO

Patch https://jira.atlassian.com/browse/CRUC-8181

Patch https://jira.atlassian.com/browse/FE-7014

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 7/34 · Low