Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:
- create a repository in Bamboo
- edit an existing plan in Bamboo that has a non-linked Mercurial repository
- create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
- commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
can execute code of their choice on systems that run a vulnerable version of Bamboo Server.
- Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
- Bamboo version 6.2.5 is available to download from https://www.atlassian.com/software/bamboo/download.
- Bamboo version 6.1.6 is available to download from https://www.atlassian.com/software/bamboo/download-archives.
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.
For additional details see the full advisory.