Code Execution Vulnerability in Bamboo Server by Atlassian
CVE-2017-14590

9.1CRITICAL

Key Information:

Vendor
Atlassian
Status
Bamboo
Vendor
CVE Published:
13 December 2017

Summary

An authorization flaw in Bamboo allows an attacker with appropriate repository permissions to execute arbitrary code on systems running vulnerable versions of the software. Specifically, the vulnerability arises from Bamboo's failure to validate branch names in a Mercurial repository, which could be exploited by someone who can create or modify plans that access these repositories. Versions affected include Bamboo Server from 2.7.0 up to, but not including, 6.1.6 and from 6.2.0 up to, but not including, 6.2.5.

Affected Version(s)

Bamboo from 2.7.0 before 6.1.6 (the fixed version for 6.1.x)

Bamboo from 6.2.0 before 6.2.5

References

https://jira.atlassian.com/browse/BAM-18843
x_refsource_CONFIRM
http://www.securityfocus.com/bid/102193
vdb-entryx_refsource_BID
https://confluence.atlassian.com/bamboo/bamboo-security-a...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.