Vulnerability Details : CVE-2018-5223
Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system. All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability.
Vulnerability category: Input validationExecute code
Products affected by CVE-2018-5223
- cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*
Threat overview for CVE-2018-5223
Top countries where our scanners detected CVE-2018-5223
Top open port discovered on systems with this issue
8060
IPs affected by CVE-2018-5223 4
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-5223!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-5223
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-5223
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2018-5223
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-5223
-
https://jira.atlassian.com/browse/FE-7014
[FE-7014] Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5223 - Create and track feature requests for Atlassian products.Patch;Vendor Advisory
-
https://confluence.atlassian.com/x/aS5sO
Page Not Found - Atlassian DocumentationVendor Advisory
-
https://jira.atlassian.com/browse/CRUC-8181
[CRUC-8181] Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5223 - Create and track feature requests for Atlassian products.Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/103665
Atlassian FishEye and Crucible CVE-2018-5223 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://confluence.atlassian.com/x/Zi5sO
Fisheye and Crucible Security Advisory 2018-03-28 - Atlassian DocumentationVendor Advisory
Jump to