Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-18843

Argument injection in Mercurial repository handling - CVE-2017-14590

XMLWordPrintable

      Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:

      • create a repository in Bamboo
      • edit an existing plan in Bamboo that has a non-linked Mercurial repository
      • create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
      • commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
        can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

      Affected versions:

      • Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

      Fix:

      Acknowledgements
      Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

      For additional details see the full advisory.

            [BAM-18843] Argument injection in Mercurial repository handling - CVE-2017-14590

            Said made changes -
            Labels Original: CVE-2017-14590 advisory advisory-released cvss-critical security New: CVE-2017-14590 advisory advisory-released cvss-critical injection rce security
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Bamboo Workflow 2016 v1 - Restricted [ 2478578 ] New: JAC Bug Workflow v3 [ 3385716 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Symptom Severity Original: Major [ 14431 ] New: Severity 2 - Major [ 15831 ]
            David Black made changes -
            Labels Original: CVE-2017-14590 advisory cvss-critical security New: CVE-2017-14590 advisory advisory-released cvss-critical security
            David Black made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            Marcin Oles made changes -
            Description Original: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
            * create a repository in Bamboo
            * edit an existing plan in Bamboo that has a non-linked Mercurial repository
            * create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
            * commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
            can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

            *Affected versions:*
            * Versions of Bamboo starting with 2.7.0 before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability.

            *Fix:*
            * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].



            *Acknowledgements*
            Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.



            For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].
            		New: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
            * create a repository in Bamboo
            * edit an existing plan in Bamboo that has a non-linked Mercurial repository
            * create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
            * commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
            can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

            *Affected versions:*
            * Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

            *Fix:*
            * Bamboo version 6.2.5 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * Bamboo version 6.1.6 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].



            *Acknowledgements*
            Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.



            For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].
            Marcin Oles made changes -
            Fix Version/s New: 6.1.6 [ 77296 ]
            Fix Version/s Original: 6.1.2 [ 73637 ]
            David Black made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 333147 ]
            David Black made changes -
            Description Original: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
            * create a repository in Bamboo
            * edit an existing plan in Bamboo that has a non-linked Mercurial repository
            * create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
            * commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
            can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

            *Affected versions:*
            * Versions of Bamboo starting with 2.7.0 before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability.

            *Fix:*
            * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].


            *Acknowledgements*
            Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.


            For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].
            		New: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
            * create a repository in Bamboo
            * edit an existing plan in Bamboo that has a non-linked Mercurial repository
            * create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
            * commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
            can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

            *Affected versions:*
            * Versions of Bamboo starting with 2.7.0 before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability.

            *Fix:*
            * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].



            *Acknowledgements*
            Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.



            For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].
            David Black made changes -
            Description Original: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
            * create a repository in Bamboo
            * edit an existing plan in Bamboo that has a non-linked Mercurial repository
            * create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
            * commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
            can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

            *Affected versions:*
            * Versions of Bamboo starting with 2.7.0 before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability.

            *Fix:*
            * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].


            *Acknowledgements*
            Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.


            For additional details see the full advisory.
            		New: Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
            * create a repository in Bamboo
            * edit an existing plan in Bamboo that has a non-linked Mercurial repository
            * create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
            * commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
            can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

            *Affected versions:*
            * Versions of Bamboo starting with 2.7.0 before 6.1.5 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.4 (the fixed version for 6.2.x) are affected by this vulnerability.

            *Fix:*
            * Bamboo version 6.2.4 is available to download from [https://www.atlassian.com/software/bamboo/download].
             * Bamboo version 6.1.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].


            *Acknowledgements*
            Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.


            For additional details see the [full advisory|https://confluence.atlassian.com/x/6FcGO].

              pbruski Przemek Bruski
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: