Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-18405

Incorrect permission check for deployment projects (CVE-2017-8907)

XMLWordPrintable

      Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

       

      Affected versions:

      • Versions of Bamboo starting with 5.0.0 before 5.15.7 (the fixed version for 5.15.x) and from 6.0.0 before 6.0.1 (the fixed version for 6.0.x) are affected by this vulnerability.

       

      Fix:

       

      Acknowledgements
      Atlassian would like to credit Iordache Cosmin (@inhibitor181) for reporting this issue to us.

       

      For additional details see the full advisory.

            [BAM-18405] Incorrect permission check for deployment projects (CVE-2017-8907)

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Bamboo Workflow 2016 v1 - Restricted [ 2019966 ] New: JAC Bug Workflow v3 [ 3385818 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Symptom Severity Original: Major [ 14431 ] New: Severity 2 - Major [ 15831 ]
            Krystian Brazulewicz made changes -
            Link New: This issue has a regression in BAM-18636 [ BAM-18636 ]
            Alexey Chystoprudov made changes -
            Link New: This issue causes BAM-18492 [ BAM-18492 ]
            David Black made changes -
            Fix Version/s New: 6.0.3 [ 72335 ]
            MichaelD made changes -
            Description Original: Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

             

            *Affected versions:*
             * Versions of Bamboo starting with 5.0.0 before 5.15.7 (the fixed version for 5.15.x) and from 6.0.0 before 6.0.3 (the fixed version for 6.0.x) are affected by this vulnerability.

             

            *Fix:*
             * *Bamboo* 6.0.3 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * *Bamboo* 5.15.7 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].

             

            *Acknowledgements*
             Atlassian would like to credit Iordache Cosmin (@inhibitor181) for reporting this issue to us.

             

            For additional details see the [full advisory|https://confluence.atlassian.com/x/KgwUNg].             		New: Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

             

            *Affected versions:*
             * Versions of Bamboo starting with 5.0.0 before 5.15.7 (the fixed version for 5.15.x) and from 6.0.0 before 6.0.1 (the fixed version for 6.0.x) are affected by this vulnerability.

             

            *Fix:*
             * *Bamboo* 6.0.3 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * *Bamboo* 5.15.7 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].

             

            *Acknowledgements*
             Atlassian would like to credit Iordache Cosmin (@inhibitor181) for reporting this issue to us.

             

            For additional details see the [full advisory|https://confluence.atlassian.com/x/KgwUNg].
            MichaelD made changes -
            Fix Version/s New: 6.0.1 [ 71900 ]
            Fix Version/s Original: 6.0.3 [ 72335 ]
            Alek Amrani (Inactive) made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            David Black made changes -
            Description Original: Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

             

            *Affected versions:*
             * Versions of Bamboo starting with 5.0.0 before 5.15.7 (the fixed version for 5.15.x) and from 6.0.0 before 6.0.2 (the fixed version for 6.0.x) are affected by this vulnerability.

             

            *Fix:*
             * *Bamboo* 6.0.2 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * *Bamboo* 5.15.7 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].

             

            *Acknowledgements*
             Atlassian would like to credit Iordache Cosmin (@inhibitor181) for reporting this issue to us.

             

            For additional details see the [full advisory|https://confluence.atlassian.com/x/KgwUNg].             		New: Bamboo did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

             

            *Affected versions:*
             * Versions of Bamboo starting with 5.0.0 before 5.15.7 (the fixed version for 5.15.x) and from 6.0.0 before 6.0.3 (the fixed version for 6.0.x) are affected by this vulnerability.

             

            *Fix:*
             * *Bamboo* 6.0.3 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * *Bamboo* 5.15.7 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].

             

            *Acknowledgements*
             Atlassian would like to credit Iordache Cosmin (@inhibitor181) for reporting this issue to us.

             

            For additional details see the [full advisory|https://confluence.atlassian.com/x/KgwUNg].
            David Black made changes -
            Fix Version/s New: 6.0.3 [ 72335 ]
            Fix Version/s Original: 6.0.2 [ 71868 ]

              Unassigned Unassigned
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: