Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 6.2.5, 6.1.6
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo.

Affected versions:

All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Fix:

Bamboo version 6.2.5 is available to download from https://www.atlassian.com/software/bamboo/download.
Bamboo version 6.1.6 is available to download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements
Atlassian would like to credit Sebastian Perez for reporting this issue to us.

For additional details see the full advisory.

Attachments

Issue Links

is related to

BAM-18843 Argument injection in Mercurial repository handling - CVE-2017-14590

Closed

mentioned in: Page Loading...

relates to: BDEV-14068 Loading...; SECENG-886 Loading...

Activity

People

Assignee:: Przemek Bruski

Reporter:: David Black

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Due:: 13/Dec/2017

Created:: 15/Nov/2017 10:45 PM

Updated:: 06/Dec/2019 3:42 AM

Resolved:: 05/Dec/2017 6:38 PM