CVE-2017-14591

Published: Nov 29, 2017Modified: May 13, 2026

9.0

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 6.0

Source: NVD

Description

Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.

Affected (4)

Products: Atlassian: Crucible, Fisheye

Atlassian

2 products

Crucible

Fisheye

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Atlassian Crucible	Before 4.4.3
Atlassian Crucible	Version 4.5.0
Atlassian Fisheye	Before 4.4.3
Atlassian Fisheye	Version 4.5.0

Related CWEs

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References (4)

http://www.securityfocus.com/bid/102194

Source: security@atlassian.com

Third Party AdvisoryVDB Entry

https://confluence.atlassian.com/x/plcGO

Source: security@atlassian.com

Issue TrackingMitigationVendor Advisory

http://www.securityfocus.com/bid/102194

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://confluence.atlassian.com/x/plcGO

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingMitigationVendor Advisory

Timeline

No history available yet.