[BAM-21216] Code Injection and Directory Traversal in plexus-utils - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Public Security Vulnerability
Status: Published (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 7.2.1
Fix Version/s: 8.0.0, 7.2.2
Component/s: None
Labels:

CVSS Score:
2
CVSS Severity:
Low

Description

This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via

CVE-2017-1000487 - command injection

sonatype-2016-0398 - directory traversal

sonatype-2015-0173 - XML Injection

The affected versions are before version 7.2.2, and before 8.0.0.

It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

Affected versions:

version < 7.2.2

Fixed versions:

7.2.2
8.0.0

Workaround

For Bamboo plugin code

Use parent pom of version 6.1.2

<parent>
    <groupId>com.atlassian.pom</groupId>
    <artifactId>base-pom</artifactId>
    <version>6.1.2</version>
</parent>

For Bamboo Specs Java project

Add these lines to pom.xml

<build>
  <extensions>
    <extension>
      <groupId>org.apache.maven.wagon</groupId>
      <artifactId>wagon-ssh-external</artifactId>
      <version>3.4.2</version>
    </extension>
  </extensions>
</build>

Attachments

Activity

People

Assignee:: Kaif Ahsan

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/Jan/2021 4:06 AM

Updated:: 02/Feb/2021 12:09 AM

Resolved:: 25/Jan/2021 4:22 AM