[BAM-18735] Remote Code Execution - CVE-2017-9514 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 6.2.1, 6.0.5, 6.1.4
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo.

Affected versions:

Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x ) and from before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability.

Fix:

Bamboo 6.2.1 is available to download from https://www.atlassian.com/software/bamboo/download.
Bamboo 6.1.4 is available to download from https://www.atlassian.com/software/bamboo/download-archives.
Bamboo 6.0.5 is available to download from https://www.atlassian.com/software/bamboo/download-archives.

For additional details see the full advisory.

duplicates: BDEV-13910 Failed to load

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

David Black added a comment - 10/Oct/2017 12:47 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.9 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

David Black added a comment - 10/Oct/2017 12:47 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.9 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: alexmin (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 05/Oct/2017 2:24 AM

Updated:: 13/Dec/2023 5:37 PM

Resolved:: 10/Oct/2017 1:14 PM

Bamboo Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[BAM-18735] Remote Code Execution - CVE-2017-9514

Collapse comment: David Black added a comment - 10/Oct/2017 12:47 AM

Expand comment: David Black added a comment - 10/Oct/2017 12:47 AM

People

Dates