-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
7.2.1
-
None
-
2
-
Low
-
CVE-2017-10004
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
- CVE-2017-1000487 - command injection
- sonatype-2016-0398 - directory traversal
- sonatype-2015-0173 - XML Injection
The affected versions are before version 7.2.2, and before 8.0.0.
It's build time vulnerability for Bamboo plugin and Bamboo Specs code.
Affected versions:
- version < 7.2.2
Fixed versions:
- 7.2.2
- 8.0.0
Workaround
For Bamboo plugin code
Use parent pom of version 6.1.2
<parent>
<groupId>com.atlassian.pom</groupId>
<artifactId>base-pom</artifactId>
<version>6.1.2</version>
</parent>
For Bamboo Specs Java project
Add these lines to pom.xml
<build>
<extensions>
<extension>
<groupId>org.apache.maven.wagon</groupId>
<artifactId>wagon-ssh-external</artifactId>
<version>3.4.2</version>
</extension>
</extensions>
</build>
[BAM-21216] Code Injection and Directory Traversal in plexus-utils
| CVE ID | New: CVE-2017-10004 |
| CVSS Severity | Original: Critical [ 16635 ] | New: Low [ 16632 ] |
| CVSS Score | Original: 9.8 | New: 2 |
| Description |
Original:
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
* CVE-2017-1000487 - command injection * sonatype-2016-0398 - directory traversal * sonatype-2015-0173 - XML Injection The affected versions are before version 7.2.2, and before 8.0.0. It's build time vulnerability for Bamboo plugin and Bamboo Specs code. *Affected versions:* * version < 7.2.2 *Fixed versions:* * 7.2.2 * 8.0.0 h3. Workaround h4. For Bamboo plugin code Use parent pom of version 6.1.2 {code} <parent> <groupId>com.atlassian.pom</groupId> <artifactId>base-pom</artifactId> <version>6.1.2</version> </parent> {code} |
New:
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
* CVE-2017-1000487 - command injection * sonatype-2016-0398 - directory traversal * sonatype-2015-0173 - XML Injection The affected versions are before version 7.2.2, and before 8.0.0. It's build time vulnerability for Bamboo plugin and Bamboo Specs code. *Affected versions:* * version < 7.2.2 *Fixed versions:* * 7.2.2 * 8.0.0 h3. Workaround h4. For Bamboo plugin code Use parent pom of version 6.1.2 {code} <parent> <groupId>com.atlassian.pom</groupId> <artifactId>base-pom</artifactId> <version>6.1.2</version> </parent> {code} h4. For Bamboo Specs Java project Add these lines to pom.xml {code} <build> <extensions> <extension> <groupId>org.apache.maven.wagon</groupId> <artifactId>wagon-ssh-external</artifactId> <version>3.4.2</version> </extension> </extensions> </build> {code} |
| Description |
Original:
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
* CVE-2017-1000487 - command injection * sonatype-2016-0398 - directory traversal * sonatype-2015-0173 - XML Injection The affected versions are before version 7.2.2, and before 8.0.0. It's build time vulnerability for Bamboo plugin and Bamboo Specs code. *Affected versions:* * version < 7.2.2 *Fixed versions:* * 7.2.2 * 8.0.0 h3. Workaround h4. For Bamboo plugin code Use parent pom of version 6.1.2 {code} <parent> <groupId>com.atlassian.pom</groupId> <artifactId>base-pom</artifactId> <version>6.1.2</version> </parent> {code} |
New:
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
* CVE-2017-1000487 - command injection * sonatype-2016-0398 - directory traversal * sonatype-2015-0173 - XML Injection The affected versions are before version 7.2.2, and before 8.0.0. It's build time vulnerability for Bamboo plugin and Bamboo Specs code. *Affected versions:* * version < 7.2.2 *Fixed versions:* * 7.2.2 * 8.0.0 h3. Workaround h4. For Bamboo plugin code Use parent pom of version 6.1.2 {code} <parent> <groupId>com.atlassian.pom</groupId> <artifactId>base-pom</artifactId> <version>6.1.2</version> </parent> {code} |
| Description |
Original:
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
* CVE-2017-1000487 - command injection * sonatype-2016-0398 - directory traversal * sonatype-2015-0173 - XML Injection The affected versions are before version 7.2.2, and from version 7.3.0 before 8.0.0. *Affected versions:* * version < 7.2.2 *Fixed versions:* * 7.2.2 * 8.0.0 |
New:
This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via
* CVE-2017-1000487 - command injection * sonatype-2016-0398 - directory traversal * sonatype-2015-0173 - XML Injection The affected versions are before version 7.2.2, and before 8.0.0. It's build time vulnerability for Bamboo plugin and Bamboo Specs code. *Affected versions:* * version < 7.2.2 *Fixed versions:* * 7.2.2 * 8.0.0 h3. Workaround h4. For Bamboo plugin code Use parent pom of version 6.1.2 {code} <parent> <groupId>com.atlassian.pom</groupId> <artifactId>base-pom</artifactId> <version>6.1.2</version> </parent> {code} |
| Labels | Original: advisory advisory-to-release dont-import security | New: advisory advisory-released advisory-to-release dont-import security |
| Summary | Original: Code Injection and Directory Traversal in plexus-utils to 3.x | New: Code Injection and Directory Traversal in plexus-utils |
| Summary | Original: Update plexus-utils to 3.x | New: Code Injection and Directory Traversal in plexus-utils to 3.x |
| Security | Original: Atlassian Staff [ 10750 ] |