Double OGNL Evaluation in FreeMarker Templates for Atlassian Bamboo
CVE-2017-14589

9.6CRITICAL

Key Information:

Vendor
Atlassian
Status
Bamboo
Vendor
CVE Published:
13 December 2017

Summary

This vulnerability allows an attacker with limited administrative rights on Atlassian Bamboo to exploit double OGNL evaluation in FreeMarker templates. If an administrator visits a malicious website, the attacker could execute arbitrary Java code on the targeted systems running vulnerable versions of Bamboo. The issue affects all versions of Bamboo prior to 6.1.6 and from versions 6.2.0 to before 6.2.5.

Affected Version(s)

Bamboo before 6.1.6 (the fixed version for 6.1.x)

Bamboo from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)

References

https://jira.atlassian.com/browse/BAM-18842
x_refsource_CONFIRM
http://www.securityfocus.com/bid/102188
vdb-entryx_refsource_BID
https://confluence.atlassian.com/bamboo/bamboo-security-a...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.