Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-18842

Remote code execution through OGNL double evaluation - CVE-2017-14589

    XMLWordPrintable

    Details

      Description

      It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo.

      Affected versions:

      • All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

      Fix:

      Acknowledgements
      Atlassian would like to credit Sebastian Perez for reporting this issue to us.

      For additional details see the full advisory.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved:
                  Last commented:
                  1 year, 9 weeks, 6 days ago