Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-18842

Remote code execution through OGNL double evaluation - CVE-2017-14589

    Details

    • Last commented by user?:
      true
    • Comments:
      1
    • Symptom Severity:
      Major

      Description

      It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo.

      Affected versions:

      • All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

      Fix:

      Acknowledgements
      Atlassian would like to credit Sebastian Perez for reporting this issue to us.

      For additional details see the full advisory.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved:
                  Last commented:
                  9 weeks, 4 days ago