CVE-2017-16859
Severity Score
6.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter.
El recurso review attachment en Atlassian Fisheye y Crucible en versiones anteriores a la 4.3.2, desde la 4.4.0 hasta la 4.4.3 y en versiones anteriores a la 4.5.0 permite que los atacantes remotos lean archivos contenidos en la ruta context de la aplicación en ejecución mediante una vulnerabilidad de salto de directorio en el parámetro command.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-11-16 CVE Reserved
- 2018-06-28 CVE Published
- 2024-08-23 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/104578 | Third Party Advisory | |
| https://jira.atlassian.com/browse/CRUC-8212 | Issue Tracking | |
| https://jira.atlassian.com/browse/FE-7061 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Atlassian Search vendor "Atlassian" | Crucible Search vendor "Atlassian" for product "Crucible" | < 4.3.2 Search vendor "Atlassian" for product "Crucible" and version " < 4.3.2" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crucible Search vendor "Atlassian" for product "Crucible" | >= 4.4.0 < 4.4.3 Search vendor "Atlassian" for product "Crucible" and version " >= 4.4.0 < 4.4.3" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Crucible Search vendor "Atlassian" for product "Crucible" | >= 4.4.5 < 4.5.0 Search vendor "Atlassian" for product "Crucible" and version " >= 4.4.5 < 4.5.0" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Fisheye Search vendor "Atlassian" for product "Fisheye" | < 4.3.2 Search vendor "Atlassian" for product "Fisheye" and version " < 4.3.2" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Fisheye Search vendor "Atlassian" for product "Fisheye" | >= 4.4.0 < 4.4.3 Search vendor "Atlassian" for product "Fisheye" and version " >= 4.4.0 < 4.4.3" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Fisheye Search vendor "Atlassian" for product "Fisheye" | >= 4.4.5 < 4.5.0 Search vendor "Atlassian" for product "Fisheye" and version " >= 4.4.5 < 4.5.0" | - |
Affected
| ||||||