Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to do one or more of the following:
- create a repository in Bamboo
- edit an existing plan in Bamboo that has a non-linked Mercurial repository
- create a plan in Bamboo either globally or in a project using Bamboo Specs
can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system.
- All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.
- Bamboo version 6.4.1 is available to download from https://www.atlassian.com/software/bamboo/download.
- Bamboo version 6.3.3 is available to download from https://www.atlassian.com/software/bamboo/download-archives.
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.
For additional details see the full advisory.