Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-21216

Code Injection and Directory Traversal in plexus-utils

    XMLWordPrintable

    Details

    • CVSS Score:
      2
    • CVSS Severity:
      Low

      Description

      This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 

      • CVE-2017-1000487 - command injection
      • sonatype-2016-0398 - directory traversal
      • sonatype-2015-0173 - XML Injection 

      The affected versions are before version 7.2.2, and before 8.0.0.

      It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

       

      Affected versions:

      • version < 7.2.2

      Fixed versions:

      • 7.2.2
      • 8.0.0  

      Workaround

      For Bamboo plugin code

      Use parent pom of version 6.1.2

      <parent>
          <groupId>com.atlassian.pom</groupId>
          <artifactId>base-pom</artifactId>
          <version>6.1.2</version>
      </parent>
      

      For Bamboo Specs Java project

      Add these lines to pom.xml

      <build>
        <extensions>
          <extension>
            <groupId>org.apache.maven.wagon</groupId>
            <artifactId>wagon-ssh-external</artifactId>
            <version>3.4.2</version>
          </extension>
        </extensions>
      </build>
      

       

        Attachments

          Activity

            People

            Assignee:
            c45ee8b91a70 Kaif Ahsan
            Reporter:
            security-metrics-bot Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: