• Type: Bug
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 6.2.5, 6.1.6
• Affects Version/s: None
• Component/s: None
• Labels:

  • CVE-2017-14589
  • advisory
  • advisory-released
  • cvss-critical
  • injection
  • rce
  • security

[BAM-18842] Remote code execution through OGNL double evaluation - CVE-2017-14589

Said made changes - 06/Dec/2019 3:42 AM

Labels

Original: CVE-2017-14589 advisory advisory-released cvss-critical security

New: CVE-2017-14589 advisory advisory-released cvss-critical injection rce security

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 2:05 AM

Workflow	Original: Bamboo Workflow 2016 v1 - Restricted [ 2478569 ]	New: JAC Bug Workflow v3 [ 3385646 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 24/Oct/2018 5:05 AM

Symptom Severity

Original: Major [ 14431 ]

New: Severity 2 - Major [ 15831 ]

David Black made changes - 21/Dec/2017 4:25 AM

Labels

Original: CVE-2017-14589 advisory cvss-critical security

New: CVE-2017-14589 advisory advisory-released cvss-critical security

David Black made changes - 19/Dec/2017 3:27 AM

Remote Link

New: This issue links to "Page (Extranet)" [ 340340 ]

Ellie Z (they/them) made changes - 12/Dec/2017 8:59 PM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

Marcin Oles made changes - 06/Dec/2017 6:34 PM

Description

Original: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. *Affected versions:* * All versions of Bamboo before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability. *Fix:* * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].  * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives]. *Acknowledgements* Atlassian would like to credit Sebastian Perez for reporting this issue to us. For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].

New: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. *Affected versions:* * All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. *Fix:* * Bamboo version 6.2.5 is available to download from [https://www.atlassian.com/software/bamboo/download].  * Bamboo version 6.1.6 is available to download from [https://www.atlassian.com/software/bamboo/download-archives]. *Acknowledgements* Atlassian would like to credit Sebastian Perez for reporting this issue to us. For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].

Marcin Oles made changes - 06/Dec/2017 6:34 PM

Fix Version/s		New: 6.1.6 [ 77296 ]
Fix Version/s	Original: 6.1.2 [ 73637 ]

David Black made changes - 06/Dec/2017 2:05 AM

Remote Link

Original: This issue links to "Page (Extranet)" [ 333146 ]

David Black made changes - 06/Dec/2017 1:37 AM

Description

Original: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. *Affected versions:* * All versions of Bamboo before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability. *Fix:* * Bamboo version 6.2.4 is available for download from [https://www.atlassian.com/software/bamboo/download].  * Bamboo version 6.1.5 is available for download from [https://www.atlassian.com/software/bamboo/download-archives]. *Acknowledgements* Atlassian would like to credit Sebastian Perez for reporting this issue to us. For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].

New: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. *Affected versions:* * All versions of Bamboo before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability. *Fix:* * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].  * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives]. *Acknowledgements* Atlassian would like to credit Sebastian Perez for reporting this issue to us. For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].

Load more older history items