FishEye and Crucible Webwork 2 Framework Remote Code Injection Vulnerability

Bugtraq ID:	51762
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 31 2012 12:00AM
Updated:	Mar 19 2015 08:42AM
Credit:	Reported by the vendor
Vulnerable:	Atlassian Fisheye 2.5.7 Atlassian Fisheye 2.5.6 Atlassian Fisheye 2.5.5 Atlassian Fisheye 2.4.6 Atlassian Fisheye 2.4.4 Atlassian Fisheye 2.4.3 Atlassian Fisheye 2.3.7 Atlassian Fisheye 2.3.6 Atlassian Fisheye 2.3.5 Atlassian Fisheye 2.3.4 Atlassian Fisheye 2.3.3 Atlassian Fisheye 2.3.2 Atlassian Fisheye 2.3.1 Atlassian Fisheye 2.3 Atlassian Fisheye 2.2.3 Atlassian Fisheye 2.5.4 Atlassian Fisheye 2.5.2 Atlassian Fisheye 2.2.8 Atlassian Crucible 2.5.7 Atlassian Crucible 2.5.6 Atlassian Crucible 2.5.5 Atlassian Crucible 2.4.5 Atlassian Crucible 2.4.4 Atlassian Crucible 2.4.3 Atlassian Crucible 2.3.3 Atlassian Crucible 2.3.2 Atlassian Crucible 2.2.3 Atlassian Crucible 2.5.4 Atlassian Crucible 2.5.2 Atlassian Crucible 2.5.0 Atlassian Crucible 2.4.5 Atlassian Crucible 2.3.0 Atlassian Crucible 2.2.8 Atlassian Crucible 2.2.6
Not Vulnerable:	Atlassian Fisheye 2.7.9 Atlassian Fisheye 2.6.7 Atlassian Crucible 2.7.9 Atlassian Crucible 2.6.7

FishEye and Crucible Webwork 2 Framework Remote Code Injection Vulnerability

FishEye and Crucible are prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to inject and execute arbitrary Java code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.