Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21216

Code Injection and Directory Traversal in plexus-utils

    • 2
    • Low
    • CVE-2017-10004

      This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 

      • CVE-2017-1000487 - command injection
      • sonatype-2016-0398 - directory traversal
      • sonatype-2015-0173 - XML Injection 

      The affected versions are before version 7.2.2, and before 8.0.0.

      It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

       

      Affected versions:

      • version < 7.2.2

      Fixed versions:

      • 7.2.2
      • 8.0.0  

      Workaround

      For Bamboo plugin code

      Use parent pom of version 6.1.2

      <parent>
          <groupId>com.atlassian.pom</groupId>
          <artifactId>base-pom</artifactId>
          <version>6.1.2</version>
      </parent>
      

      For Bamboo Specs Java project

      Add these lines to pom.xml

      <build>
        <extensions>
          <extension>
            <groupId>org.apache.maven.wagon</groupId>
            <artifactId>wagon-ssh-external</artifactId>
            <version>3.4.2</version>
          </extension>
        </extensions>
      </build>
      

       

            [BAM-21216] Code Injection and Directory Traversal in plexus-utils

            Security Metrics Bot made changes -
            CVE ID New: CVE-2017-10004
            AB made changes -
            CVSS Severity Original: Critical [ 16635 ] New: Low [ 16632 ]
            AB made changes -
            CVSS Score Original: 9.8 New: 2
            Alexey Chystoprudov made changes -
            Description Original: This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 
             * CVE-2017-1000487 - command injection

             * sonatype-2016-0398 - directory traversal

             * sonatype-2015-0173 - XML Injection 

            The affected versions are before version 7.2.2, and before 8.0.0.

            It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

             

            *Affected versions:*
             * version < 7.2.2

            *Fixed versions:*
             * 7.2.2
             * 8.0.0  

            h3. Workaround
            h4. For Bamboo plugin code

            Use parent pom of version 6.1.2

            {code}
            <parent>
                <groupId>com.atlassian.pom</groupId>
                <artifactId>base-pom</artifactId>
                <version>6.1.2</version>
            </parent>
            {code}
             
            New: This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 
             * CVE-2017-1000487 - command injection

             * sonatype-2016-0398 - directory traversal

             * sonatype-2015-0173 - XML Injection 

            The affected versions are before version 7.2.2, and before 8.0.0.

            It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

             

            *Affected versions:*
             * version < 7.2.2

            *Fixed versions:*
             * 7.2.2
             * 8.0.0  

            h3. Workaround
            h4. For Bamboo plugin code

            Use parent pom of version 6.1.2

            {code}
            <parent>
                <groupId>com.atlassian.pom</groupId>
                <artifactId>base-pom</artifactId>
                <version>6.1.2</version>
            </parent>
            {code}

            h4. For Bamboo Specs Java project
            Add these lines to pom.xml
            {code}
            <build>
              <extensions>
                <extension>
                  <groupId>org.apache.maven.wagon</groupId>
                  <artifactId>wagon-ssh-external</artifactId>
                  <version>3.4.2</version>
                </extension>
              </extensions>
            </build>
            {code}
             
            Alexey Chystoprudov made changes -
            Description Original: This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 
             * CVE-2017-1000487 - command injection

             * sonatype-2016-0398 - directory traversal

             * sonatype-2015-0173 - XML Injection 

            The affected versions are before version 7.2.2, and before 8.0.0.

            It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

             

            *Affected versions:*
             * version < 7.2.2

            *Fixed versions:*
             * 7.2.2
             * 8.0.0  

            h3. Workaround
            h4. For Bamboo plugin code

            Use parent pom of version 6.1.2

            {code}
            <parent>
                <groupId>com.atlassian.pom</groupId>
                <artifactId>base-pom</artifactId>
                <version>6.1.2</version>
              </parent>
            {code}
             
            New: This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 
             * CVE-2017-1000487 - command injection

             * sonatype-2016-0398 - directory traversal

             * sonatype-2015-0173 - XML Injection 

            The affected versions are before version 7.2.2, and before 8.0.0.

            It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

             

            *Affected versions:*
             * version < 7.2.2

            *Fixed versions:*
             * 7.2.2
             * 8.0.0  

            h3. Workaround
            h4. For Bamboo plugin code

            Use parent pom of version 6.1.2

            {code}
            <parent>
                <groupId>com.atlassian.pom</groupId>
                <artifactId>base-pom</artifactId>
                <version>6.1.2</version>
            </parent>
            {code}
             
            Alexey Chystoprudov made changes -
            Description Original: This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 
             * CVE-2017-1000487 - command injection

             * sonatype-2016-0398 - directory traversal

             * sonatype-2015-0173 - XML Injection 

            The affected versions are before version 7.2.2, and from version 7.3.0 before 8.0.0.

             

            *Affected versions:*
             * version < 7.2.2

            *Fixed versions:*
             * 7.2.2
             * 8.0.0  

             
            New: This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 
             * CVE-2017-1000487 - command injection

             * sonatype-2016-0398 - directory traversal

             * sonatype-2015-0173 - XML Injection 

            The affected versions are before version 7.2.2, and before 8.0.0.

            It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

             

            *Affected versions:*
             * version < 7.2.2

            *Fixed versions:*
             * 7.2.2
             * 8.0.0  

            h3. Workaround
            h4. For Bamboo plugin code

            Use parent pom of version 6.1.2

            {code}
            <parent>
                <groupId>com.atlassian.pom</groupId>
                <artifactId>base-pom</artifactId>
                <version>6.1.2</version>
              </parent>
            {code}
             
            AB made changes -
            Labels Original: advisory advisory-to-release dont-import security New: advisory advisory-released advisory-to-release dont-import security
            AB made changes -
            Summary Original: Code Injection and Directory Traversal in plexus-utils to 3.x New: Code Injection and Directory Traversal in plexus-utils
            Kaif Ahsan made changes -
            Summary Original: Update plexus-utils to 3.x New: Code Injection and Directory Traversal in plexus-utils to 3.x
            Kaif Ahsan made changes -
            Security Original: Atlassian Staff [ 10750 ]

              c45ee8b91a70 Kaif Ahsan
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: