Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21185

CVE-2020-17527 - Does this vulnerability affecting Bamboo?

    • Icon: Suggestion Suggestion
    • Resolution: Fixed
    • 7.2.4
    • Tomcat tasks
    • None
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Please advise whether following vulnerability affecting Bamboo?

       

      Apache has released an update to address a vulnerability affecting Tomcat. Successful exploitation of the vulnerability may allow an attacker to perform Denial-of-Service (DoS) and/or obtain sensitive information on a vulnerable system.

       

       

      Vulnerability Information
      CVE CVSS Base Score GITSIR’s Rating* Product Name Version
      CVE-2020-17527 Not Available Not Available Apache Tomcat Apache Tomcat 10.0.0-M1 to 10.0.0-M9
      Apache Tomcat 9.0.0.M5 to 9.0.39
      Apache Tomcat 8.5.1 to 8.5.59

       

      GITSIR’s Rating* CVSS Base Score
      High x >= 8.0
      Medium 4.0 <= x < 8.0
      Low x < 4.0

            [BAM-21185] CVE-2020-17527 - Does this vulnerability affecting Bamboo?

            Ellie Z (they/them) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Waiting for Release [ 12075 ] New: Closed [ 6 ]
            Marcin Gardias made changes -
            Status Original: In Progress [ 3 ] New: Waiting for Release [ 12075 ]
            Marcin Gardias made changes -
            Status Original: Gathering Interest [ 11772 ] New: In Progress [ 3 ]
            Marcin Gardias made changes -
            Fix Version/s New: 7.2.4 [ 94832 ]

            1e1174f2f39a Bamboo doesn't use HTTP/2 by default but user can configure Tomcat to use it. So Bamboo is not vulnerable by default, but might be affected if HTTP/2 is configured by admin.

            Alexey Chystoprudov added a comment - 1e1174f2f39a  Bamboo doesn't use HTTP/2 by default but user can configure Tomcat to use it. So Bamboo is not vulnerable by default, but might be affected if HTTP/2 is configured by admin.
            Ashfak Mulla created issue -

              Unassigned Unassigned
              1e1174f2f39a Ashfak Mulla
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: