• Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: Low Low
    • 8.0.7, 8.2.2, 8.1.6, 7.2.10
    • 7.2.0, (22)
      8.0.0, 7.2.1, 7.2.2, 7.2.6, 7.2.3, 7.2.4, 7.2.5, 8.0.1, 8.0.2, 8.0.3, 8.1.1, 8.0.4, 8.0.5, 7.2.7, 8.1.2, 8.2.0, 7.2.9, 8.1.3, 8.1.4, 8.2.1, 8.1.5, 7.2.10
    • Security
    • Severity 3 - Minor
    • 8.1
    • CVE-2021-31805

      Vulnerability Description

      Bamboo Server and Data Center use a version of Apache Struts that is vulnerable to double OGNL evaluation (CVE-2021-31805). This is due to an incomplete fix for CVE-2020-17530.

      Affected Versions

      • Versions < 7.2.10
      • 8.0.x < 8.0.7
      • 8.1.x < 8.1.6
      • 8.2.x < 8.2.2

      First fixed Versions

      • 7.2.10
      • 8.0.7
      • 8.1.6
      • 8.2.2

            [BAM-21834] Bamboo Struts security vulnerability CVE-2021-31805

            Santhosh Thokur Raghava made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1005495 ]
            Alexey Chystoprudov made changes -
            Affects Version/s New: 8.0.0 [ 92814 ]
            Affects Version/s New: 7.2.6 [ 97897 ]
            Affects Version/s New: 7.2.4 [ 94832 ]
            Affects Version/s New: 8.0.1 [ 97707 ]
            Affects Version/s New: 8.0.2 [ 97610 ]
            Affects Version/s New: 8.0.3 [ 97895 ]
            Affects Version/s New: 8.1.1 [ 97096 ]
            Affects Version/s New: 8.0.4 [ 98008 ]
            Affects Version/s New: 8.0.5 [ 98593 ]
            Affects Version/s New: 7.2.7 [ 98692 ]
            Affects Version/s New: 8.2.0 [ 99297 ]
            Affects Version/s New: 7.2.9 [ 99894 ]
            Affects Version/s New: 8.1.3 [ 99896 ]
            Affects Version/s New: 8.1.4 [ 100291 ]
            Affects Version/s New: 8.2.1 [ 100298 ]
            Affects Version/s New: 8.1.5 [ 100592 ]
            Affects Version/s New: 7.2.10 [ 102206 ]
            Alexey Chystoprudov made changes -
            Affects Version/s New: 7.2.0 [ 92133 ]
            Affects Version/s New: 7.2.1 [ 93499 ]
            Affects Version/s New: 7.2.2 [ 93603 ]
            Affects Version/s New: 7.2.3 [ 94707 ]
            Affects Version/s New: 7.2.5 [ 95291 ]
            Brian Adeloye (Inactive) made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            Brian Adeloye (Inactive) made changes -
            Fix Version/s New: 7.2.10 [ 102206 ]
            Brian Adeloye (Inactive) made changes -
            Description Original: h3. Issue Summary

            Apache Struts 2.0.0 to 2.5.29 is vulnerable to CVE-2021-31805 (https://nvd.nist.gov/vuln/detail/CVE-2021-31805\), which is a critical vulnerability with CVSS score 9.8

            h3. Steps to Reproduce

            ref: https://nvd.nist.gov/vuln/detail/CVE-2021-31805\

            New: h3. Vulnerability Description

            Bamboo Server and Data Center use a version of Apache Struts that is vulnerable to double OGNL evaluation ([CVE-2021-31805|https://www.cve.org/CVERecord?id=CVE-2021-31805]). This is due to an incomplete fix for [CVE-2020-17530|https://www.cve.org/CVERecord?id=CVE-2020-17530].
            h3. Affected Versions
             * Versions < 7.2.10
             * 8.0.x < 8.0.7
             * 8.1.x < 8.1.6
             * 8.2.x < 8.2.2

            h3. First fixed Versions
             * 7.2.10
             * 8.0.7
             * 8.1.6
             * 8.2.2
            Brian Adeloye (Inactive) made changes -
            Labels New: CVE-2021-31805 advisory dont-import
            Brian Adeloye (Inactive) made changes -
            CVE ID New: CVE-2021-31805
            Brian Adeloye (Inactive) made changes -
            CVSS Score New: 8.1
            Workflow Original: JAC Bug Workflow v3 [ 4288903 ] New: JAC Public Security Vulnerability Workflow v2 [ 4290067 ]
            Issue Type Original: Bug [ 1 ] New: Public Security Vulnerability [ 10700 ]
            Status Original: Closed [ 6 ] New: Draft [ 12872 ]
            Shashank Kumar made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 668596 ]

              f84a05b06223 Anik Sengupta
              f84a05b06223 Anik Sengupta
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: