Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21216

Code Injection and Directory Traversal in plexus-utils

    XMLWordPrintable

Details

    • 2
    • Low
    • CVE-2017-10004

    Description

      This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 

      • CVE-2017-1000487 - command injection
      • sonatype-2016-0398 - directory traversal
      • sonatype-2015-0173 - XML Injection 

      The affected versions are before version 7.2.2, and before 8.0.0.

      It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

       

      Affected versions:

      • version < 7.2.2

      Fixed versions:

      • 7.2.2
      • 8.0.0  

      Workaround

      For Bamboo plugin code

      Use parent pom of version 6.1.2

      <parent>
    <groupId>com.atlassian.pom</groupId>
    <artifactId>base-pom</artifactId>
    <version>6.1.2</version>
</parent>

      For Bamboo Specs Java project

      Add these lines to pom.xml

      <build>
  <extensions>
    <extension>
      <groupId>org.apache.maven.wagon</groupId>
      <artifactId>wagon-ssh-external</artifactId>
      <version>3.4.2</version>
    </extension>
  </extensions>
</build>

       

      Attachments

        Activity

          People

            c45ee8b91a70 Kaif Ahsan
            security-metrics-bot Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: