We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo.

      This vulnerability allows an attacker to:

      • Execute denial of service attacks against the Bamboo server, and
      • Read all local files readable to the system user under which Bamboo runs.

      The attacker needs to have an account with the affected Bamboo server instance and be able to log in in order to execute the attack.

      All versions of Bamboo up to and including 3.4.4 are affected.

      Full details of the severity, risks and vulnerability can be found in the Bamboo Security Advisory 2012-05-17.

            [BAM-11316] Bamboo XML Vulnerability

            Jacek Krawczyk (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 717123 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 717123 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 715528 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 715528 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Bamboo Workflow 2016 v1 - Restricted [ 1442875 ] New: JAC Bug Workflow v3 [ 3384202 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Rachel Robins made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 235434 ] New: This issue links to "Page (Atlassian Documentation)" [ 235434 ]
            Rachel Robins made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 235434 ]
            Rachel Robins made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 235209 ] New: This issue links to "Page (Atlassian Documentation)" [ 235209 ]
            Rachel Robins made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 235209 ]
            Michalina made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 216779 ] New: This issue links to "Page (Atlassian Documentation)" [ 216779 ]

              vosipov VitalyA
              pwatson paulwatson (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: