[BAM-18843] Argument injection in Mercurial repository handling - CVE-2017-14590 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 6.2.5, 6.1.6
Affects Version/s: 2.7
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:

create a repository in Bamboo
edit an existing plan in Bamboo that has a non-linked Mercurial repository
create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

Affected versions:

Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Fix:

Bamboo version 6.2.5 is available to download from https://www.atlassian.com/software/bamboo/download.
Bamboo version 6.1.6 is available to download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.

relates to

BAM-18842 Remote code execution through OGNL double evaluation - CVE-2017-14589

Closed

BDEV-14063 Failed to load

SECENG-886 Failed to load

David Black added a comment - 15/Nov/2017 11:04 PM

CVSS v3 score: 9.1 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

David Black added a comment - 15/Nov/2017 11:04 PM CVSS v3 score: 9.1 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Assignee:: Przemek Bruski

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 15/Nov/2017 10:54 PM

Updated:: 06/Dec/2019 3:59 AM

Resolved:: 04/Dec/2017 5:32 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[BAM-18843] Argument injection in Mercurial repository handling - CVE-2017-14590

Collapse comment: David Black added a comment - 15/Nov/2017 11:04 PM

Expand comment: David Black added a comment - 15/Nov/2017 11:04 PM

People

Dates