Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-19743

Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5224

    XMLWordPrintable

    Details

    • Last commented by user?:
      true
    • Comments:
      1
    • Symptom Severity:
      Critical

      Description

      Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to do one or more of the following:

      • create a repository in Bamboo
      • edit an existing plan in Bamboo that has a non-linked Mercurial repository
      • create a plan in Bamboo either globally or in a project using Bamboo Specs

      can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system.

       

      Affected versions:

      • All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.

      Fix:

      Acknowledgements
      Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

      For additional details see the full advisory.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                dblack David Black
                Participants:
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  27 weeks, 5 days ago