Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-19743

Argument injection through Mercurial repository uri handling on Windows - CVE-2018-5224


      Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to do one or more of the following:

      • create a repository in Bamboo
      • edit an existing plan in Bamboo that has a non-linked Mercurial repository
      • create a plan in Bamboo either globally or in a project using Bamboo Specs

      can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system.


      Affected versions:

      • All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.


      Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

      For additional details see the full advisory.

            Unassigned Unassigned
            dblack David Black
            0 Vote for this issue
            1 Start watching this issue