Code Injection and Directory Traversal in plexus-utils

XMLWordPrintable

    • 2
    • Low
    • CVE-2017-10004

      This vulnerability allows unauthenticated remote attackers to inject code and XML as well as perform directory traversal via 

      • CVE-2017-1000487 - command injection
      • sonatype-2016-0398 - directory traversal
      • sonatype-2015-0173 - XML Injection 

      The affected versions are before version 7.2.2, and before 8.0.0.

      It's build time vulnerability for Bamboo plugin and Bamboo Specs code.

       

      Affected versions:

      • version < 7.2.2

      Fixed versions:

      • 7.2.2
      • 8.0.0  

      Workaround

      For Bamboo plugin code

      Use parent pom of version 6.1.2

      <parent>
    <groupId>com.atlassian.pom</groupId>
    <artifactId>base-pom</artifactId>
    <version>6.1.2</version>
</parent>

      For Bamboo Specs Java project

      Add these lines to pom.xml

      <build>
  <extensions>
    <extension>
      <groupId>org.apache.maven.wagon</groupId>
      <artifactId>wagon-ssh-external</artifactId>
      <version>3.4.2</version>
    </extension>
  </extensions>
</build>

       

            Assignee:
            Kaif Ahsan
            Reporter:
            Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: