Atlassian Fisheye and Crucible are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and perform other attacks.
Fisheye and Crucible prior to 4.3.2, 4.4.0 prior to 4.4.3 and versions prior to 4.5.0 are vulnerable.
Information
Atlassian FishEye 2.6.8 0
Atlassian Fisheye 4.4
Atlassian Fisheye 4.3.1
Atlassian Fisheye 4.3
Atlassian Fisheye 4.2
Atlassian Fisheye 4.0
Atlassian Fisheye 3.4.4
Atlassian Fisheye 3.4.3
Atlassian Fisheye 3.3.4
Atlassian Fisheye 3.3.3
Atlassian Fisheye 3.2.5
Atlassian Fisheye 3.2.4
Atlassian Fisheye 3.2
Atlassian Fisheye 3.1.7
Atlassian Fisheye 3.1.6
Atlassian Fisheye 3.0.4
Atlassian Fisheye 3.0.3
Atlassian Fisheye 3.0.2
Atlassian Fisheye 3.0.1
Atlassian Fisheye 2.10.8
Atlassian Fisheye 2.10.6
Atlassian Fisheye 2.10.5
Atlassian Fisheye 2.7.10
Atlassian Fisheye 2.7.7
Atlassian Fisheye 2.7.6
Atlassian Fisheye 2.5.8
Atlassian Fisheye 2.5.6
Atlassian Fisheye 2.5.5
Atlassian Fisheye 2.4.6
Atlassian Fisheye 2.4.4
Atlassian Fisheye 2.4.3
Atlassian Fisheye 2.3.7
Atlassian Fisheye 2.3.6
Atlassian Fisheye 2.3.5
Atlassian Fisheye 2.3.4
Atlassian Fisheye 2.3.3
Atlassian Fisheye 2.3.2
Atlassian Fisheye 2.3.1
Atlassian Fisheye 2.3
Atlassian Fisheye 2.2.3
Atlassian Fisheye 1.6.6
Atlassian Fisheye 4.4.2
Atlassian Fisheye 4.4.1
Atlassian Fisheye 3.2
Atlassian Fisheye 3.1
Atlassian Fisheye 2.7.9
Atlassian Fisheye 2.7.8
Atlassian Fisheye 2.7.5
Atlassian Fisheye 2.7.4
Atlassian Fisheye 2.7.3
Atlassian Fisheye 2.7.2
Atlassian Fisheye 2.7.15
Atlassian Fisheye 2.7.11
Atlassian Fisheye 2.7.1
Atlassian Fisheye 2.7.0
Atlassian Fisheye 2.7
Atlassian Fisheye 2.6.7
Atlassian Fisheye 2.6.6
Atlassian Fisheye 2.6.5
Atlassian Fisheye 2.6.4
Atlassian Fisheye 2.6.3
Atlassian Fisheye 2.6.2
Atlassian Fisheye 2.6.1
Atlassian Fisheye 2.6.0
Atlassian Fisheye 2.5.7
Atlassian Fisheye 2.5.4
Atlassian Fisheye 2.5.3
Atlassian Fisheye 2.5.2
Atlassian Fisheye 2.5.1
Atlassian Fisheye 2.5.0
Atlassian Fisheye 2.4.5
Atlassian Fisheye 2.4.2
Atlassian Fisheye 2.4.1
Atlassian Fisheye 2.4.0
Atlassian Fisheye 2.3.8
Atlassian Fisheye 2.2.8
Atlassian Fisheye 2.2.1
Atlassian Fisheye 2.2.0
Atlassian Fisheye 2.1.4
Atlassian Fisheye 2.1.3
Atlassian Fisheye 2.1.2
Atlassian Fisheye 2.1.1
Atlassian Fisheye 2.1.0
Atlassian Fisheye 2.0.6
Atlassian Fisheye 2.0.5
Atlassian Fisheye 2.0.4
Atlassian Fisheye 2.0.3
Atlassian Fisheye 2.0.2
Atlassian Fisheye 2.0.1
Atlassian Fisheye 1.6.4
Atlassian Fisheye 1.6.3
Atlassian Fisheye 1.6.2
Atlassian Fisheye 1.6.1
Atlassian Fisheye 1.6.0
Atlassian Fisheye 1.5.4
Atlassian Fisheye 1.5.3
Atlassian Fisheye 1.5.2
Atlassian Fisheye 1.5.1
Atlassian Fisheye 1.5.0
Atlassian Fisheye 1.4.3
Atlassian Fisheye 1.4.2
Atlassian Fisheye 1.4.1
Atlassian Fisheye 1.4
Atlassian Fisheye 1.3
Atlassian Crucible 2.7.12 0
Atlassian Crucible 2.6.8 0
Atlassian Crucible 2.5.8 0
Atlassian Crucible 4.4
Atlassian Crucible 4.3.1
Atlassian Crucible 4.3
Atlassian Crucible 4.2
Atlassian Crucible 4.0
Atlassian Crucible 3.4.4
Atlassian Crucible 3.4.3
Atlassian Crucible 3.3.4
Atlassian Crucible 3.3.3
Atlassian Crucible 3.2.5
Atlassian Crucible 3.2.4
Atlassian Crucible 3.2
Atlassian Crucible 3.1.7
Atlassian Crucible 3.1.6
Atlassian Crucible 3.1.5
Atlassian Crucible 3.0.4
Atlassian Crucible 3.0.3
Atlassian Crucible 3.0.2
Atlassian Crucible 3.0.1
Atlassian Crucible 2.10.8
Atlassian Crucible 2.10.7
Atlassian Crucible 2.10.6
Atlassian Crucible 2.10.5
Atlassian Crucible 2.7.10
Atlassian Crucible 2.7.7
Atlassian Crucible 2.7.6
Atlassian Crucible 2.5.7
Atlassian Crucible 2.5.6
Atlassian Crucible 2.5.5
Atlassian Crucible 2.4.5
Atlassian Crucible 2.4.4
Atlassian Crucible 2.4.3
Atlassian Crucible 2.3.3
Atlassian Crucible 2.3.2
Atlassian Crucible 2.2.3
Atlassian Crucible 1.6.6
Atlassian Crucible 1.6.2 .1
Atlassian Crucible 1.2.2
Atlassian Crucible 4.4.2
Atlassian Crucible 4.4.1
Atlassian Crucible 2.7.9
Atlassian Crucible 2.7.8
Atlassian Crucible 2.7.5
Atlassian Crucible 2.7.4
Atlassian Crucible 2.7.3
Atlassian Crucible 2.7.2
Atlassian Crucible 2.7.15
Atlassian Crucible 2.7.11
Atlassian Crucible 2.7.1
Atlassian Crucible 2.7.0
Atlassian Crucible 2.7
Atlassian Crucible 2.6.7
Atlassian Crucible 2.6.6
Atlassian Crucible 2.6.5
Atlassian Crucible 2.6.4
Atlassian Crucible 2.6.3
Atlassian Crucible 2.6.2
Atlassian Crucible 2.6.1
Atlassian Crucible 2.6.0
Atlassian Crucible 2.5.4
Atlassian Crucible 2.5.3
Atlassian Crucible 2.5.2
Atlassian Crucible 2.5.1
Atlassian Crucible 2.5.0
Atlassian Crucible 2.4.5
Atlassian Crucible 2.4.2
Atlassian Crucible 2.4.1
Atlassian Crucible 2.4.0
Atlassian Crucible 2.3.8
Atlassian Crucible 2.3.7
Atlassian Crucible 2.3.6
Atlassian Crucible 2.3.5
Atlassian Crucible 2.3.4
Atlassian Crucible 2.3.1
Atlassian Crucible 2.3.0
Atlassian Crucible 2.2.8
Atlassian Crucible 2.2.6
Atlassian Crucible 2.2.1
Atlassian Crucible 2.2.0
Atlassian Crucible 2.1.4
Atlassian Crucible 2.1.3
Atlassian Crucible 2.1.2
Atlassian Crucible 2.1.1
Atlassian Crucible 2.1.0
Atlassian Crucible 2.0.6
Atlassian Crucible 2.0.5
Atlassian Crucible 2.0.4
Atlassian Crucible 2.0.3
Atlassian Crucible 2.0.2
Atlassian Crucible 2.0.1
Atlassian Crucible 1.6.4
Atlassian Crucible 1.6.3
Atlassian Crucible 1.6.2
Atlassian Crucible 1.6.1
Atlassian Crucible 1.6.0
Atlassian Crucible 1.5.4
Atlassian Crucible 1.5.3
Atlassian Crucible 1.5.2
Atlassian Crucible 1.5.1
Atlassian Crucible 1.5.0
Atlassian Crucible 1.2.3
Atlassian Crucible 1.2.1
Atlassian Crucible 1.1.4
Atlassian Crucible 1.1.3
Atlassian Crucible 1.1.2
Atlassian Crucible 1.1.1
Atlassian Fisheye 4.5.0
Atlassian Fisheye 4.4.3
Atlassian Crucible 4.3.2
Atlassian Crucible 4.5.0
Atlassian Crucible 4.4.3
Exploit
Attackers can exploit this issue using browser or readily available tools.
References: