Highest Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
Affected versions:
- Versions of Bamboo starting with 5.0.0 before 5.15.7 (the fixed version for 5.15.x) and from 6.0.0 before 6.0.1 (the fixed version for 6.0.x) are affected by this vulnerability.
Fix:
- Bamboo 6.0.3 is available to download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 5.15.7 is available to download from https://www.atlassian.com/software/bamboo/download-archives.
Acknowledgements
Atlassian would like to credit Iordache Cosmin (@inhibitor181) for reporting this issue to us.
For additional details see the full advisory.
- causes
-
BAM-18492 User without global admin or restricted admin permission is not able to clone a deployment environment
-
- Closed
-
- has a regression in
-
-
- Closed
-
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Page
Failed to load
- relates to
-
BDEV-13219 Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BAM-18405] Incorrect permission check for deployment projects (CVE-2017-8907)
To set expectations, can we expect a fix for this 'fix'? Blocking the viewTaskTypes page serves no useful security purpose so far as I can tell, but it's having a significant impact on us it has completely broken our plan creation scripts.
The problem we see with the Bamboo CLI that Bob alluded to above is that the http://bamboo.ourdomain.com:8085/build/admin/edit/viewTaskTypes.action?confirm=true&decorator=nothing page is blocked in v5.15.7 for all non-admin users. The CLI depends on this for a number of actions. These are actions where users would not reasonably expect to need Bamboo admin rights.
Was blocking this page an accidental side effect of the CVE fix? It's not obvious what security purpose is served by requiring users to have admin rights to see this screen. It would be great if this change could be reversed, if is is possible to do that independently of the CVE.
We were caught off guard by this change. We apply CVE patch updates immediately, as we don't want any exploitable holes in our systems. We didn't expect this to break a major piece of Bamboo functionality.
bob1734599024 can you please describe what other issues except BAM-18492 your team experience with permissions? Comment from Patricio is related to direct link to see Tasks, without plan specified in required parameters, it's not kind of scenario you can get with Bamboo UI.
Can a subsequent fix be done to restore the ability for non admin users to view tasks and other similar restrictions caused by this fix?
Note for reference:
This fix also blocks the display of tasks for non admin users (".../build/admin/edit/viewTaskTypes.action?")
bob1734599024, Atlassian1092 please watch https://jira.atlassian.com/browse/BAM-18636 for updates.