CVE-2017-14589

9.6CRITICAL

Key Information:

Vendor
Atlassian
Status
Bamboo
Vendor
CVE Published:
13 December 2017

Summary

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Affected Version(s)

Bamboo before 6.1.6 (the fixed version for 6.1.x)

Bamboo from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)

References

https://jira.atlassian.com/browse/BAM-18842
x_refsource_CONFIRM
http://www.securityfocus.com/bid/102188
vdb-entryx_refsource_BID
https://confluence.atlassian.com/bamboo/bamboo-security-a...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.