-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
8.0.0, (45)
8.0.1, 8.0.2, 8.0.3, 8.1.1, 8.0.4, 8.0.5, 8.1.2, 8.0.6, 8.2.0, 8.1.3, 8.0.7, 8.1.4, 8.2.1, 8.1.5, 8.2.2, 8.1.6, 9.0.0, 8.0.8, 8.1.7, 8.2.3, 8.1.8, 8.2.4, 8.0.9, 8.0.10, 8.1.9, 8.2.5, 8.2.6, 8.1.10, 8.0.11, 9.0.1, 9.1.0, 8.0.12, 8.1.11, 8.2.7, 9.0.2, 9.3.0, 9.2.1, 9.1.2, 8.2.8, 9.0.3, 8.0.13, 8.1.12, 9.1.3, 9.0.4, 8.2.9 -
None
-
7.5
-
High
-
CVE-2023-22506
-
Penetration Testing
-
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
-
Injection, RCE (Remote Code Execution)
-
Bamboo Data Center, Bamboo Server
This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Vulnerable versions
All Bamboo Server and Data Center versions earlier than 9.2.3 and 9.3.1 are vulnerable.
Fixed versions
All Bamboo versions that contain a fix to this issue are listed on the "Fix Version/s" field of this ticket.
Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).
This vulnerability was reported via our Penetration Testing program.
[BAM-22400] Injection, RCE (Remote Code Execution) in Bamboo
| Remote Link | New: This issue links to "Page (Confluence)" [ 880526 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 872604 ] |
Only 9.2 branch (which is a LTS release) and 9.3 are listed as receiving the fix.
Also, if you look at the Security Bugfix Policy, you find the following:
Issue new bug fix releases for:
- Any versions designated an 'Long Term Support release' that have not reached end of life.
- All feature versions released within 6 months of the date the fix is released.
8.2 was released in April 2022. It will not receive an update according to this policy.
@Curtis we are facing the same issue as @jammsen. Since the original question is still 
unanswered, here is a quote:
We currently have 8.2.6 live, is Bamboo 8.2.6 affected and if yes, whats the fix path, without Platform upgrading untested content from almost 2 years of features?
When will a patch be available for 8.2?
@jammsen 8.2.5 and 8.2.6 are listed as affected. Maybe they weren't at first, but they are now.
| Remote Link | New: This issue links to "Page (Confluence)" [ 796754 ] |
| Description |
Original:
This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. h3. Vulnerable versions *All Bamboo Server and Data Center versions earlier than 9.2.3 and 9.3.1 are vulnerable.* h3. Fixed versions All Bamboo versions that contain a fix to this issue are listed on the "Fix Version/s" field of this ticket. Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Penetration Testing program. |
New:
This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. h3. Vulnerable versions *All Bamboo Server and Data Center versions earlier than 9.2.3 and 9.3.1 are vulnerable.* h3. Fixed versions All Bamboo versions that contain a fix to this issue are listed on the "Fix Version/s" field of this ticket. Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Penetration Testing program. |
| Affects Version/s | New: 8.0.0 [ 92814 ] | |
| Affects Version/s | New: 8.0.1 [ 97707 ] | |
| Affects Version/s | New: 8.0.2 [ 97610 ] | |
| Affects Version/s | New: 8.0.3 [ 97895 ] | |
| Affects Version/s | New: 8.1.1 [ 97096 ] | |
| Affects Version/s | New: 8.0.4 [ 98008 ] | |
| Affects Version/s | New: 8.0.5 [ 98593 ] | |
| Affects Version/s | New: 8.1.2 [ 99290 ] | |
| Affects Version/s | New: 8.0.6 [ 99296 ] | |
| Affects Version/s | New: 8.2.0 [ 99297 ] | |
| Affects Version/s | New: 8.1.3 [ 99896 ] | |
| Affects Version/s | New: 8.0.7 [ 99693 ] | |
| Affects Version/s | New: 8.1.4 [ 100291 ] | |
| Affects Version/s | New: 8.2.1 [ 100298 ] | |
| Affects Version/s | New: 8.1.5 [ 100592 ] | |
| Affects Version/s | New: 8.2.2 [ 100690 ] | |
| Affects Version/s | New: 8.1.6 [ 100494 ] | |
| Affects Version/s | New: 9.0.0 [ 100790 ] | |
| Affects Version/s | New: 8.0.8 [ 100901 ] | |
| Affects Version/s | New: 8.1.7 [ 100902 ] | |
| Affects Version/s | New: 8.2.3 [ 100903 ] | |
| Affects Version/s | New: 8.1.8 [ 101492 ] | |
| Affects Version/s | New: 8.2.4 [ 101493 ] | |
| Affects Version/s | New: 8.0.9 [ 101691 ] | |
| Affects Version/s | New: 8.0.10 [ 101699 ] | |
| Affects Version/s | New: 8.1.9 [ 101700 ] | |
| Affects Version/s | New: 8.2.5 [ 101701 ] | |
| Affects Version/s | New: 8.1.10 [ 102224 ] | |
| Affects Version/s | New: 8.0.11 [ 102225 ] | |
| Affects Version/s | New: 9.0.1 [ 102590 ] | |
| Affects Version/s | New: 9.1.0 [ 102591 ] | |
| Affects Version/s | New: 8.0.12 [ 103094 ] | |
| Affects Version/s | New: 8.1.11 [ 103095 ] | |
| Affects Version/s | New: 8.2.7 [ 103096 ] | |
| Affects Version/s | New: 9.0.2 [ 103491 ] | |
| Affects Version/s | New: 9.1.2 [ 104330 ] | |
| Affects Version/s | New: 8.2.8 [ 104331 ] | |
| Affects Version/s | New: 9.0.3 [ 104339 ] | |
| Affects Version/s | New: 9.0.4 [ 104670 ] |
| Affects Version/s | Original: 9.1.0 [ 102591 ] | |
| Affects Version/s | Original: 8.2.0 [ 99297 ] | |
| Affects Version/s | Original: 8.1.1 [ 97096 ] | |
| Affects Version/s | Original: 8.0.0 [ 92814 ] | |
| Affects Version/s | New: 9.1.3 [ 104995 ] |
"Curtis: 8.2.5 and 8.2.6 are listed as affected. Maybe they weren't at first, but they are now."
Yes the were added afterwards on the day i wrote my "we are paying customers" text. I know, thanks anyway.
"Justin Isler: When will a patch be available for 8.2?"
No sadly there will not be one, you will have to upgrade to either 9.2.3+ or 9.3.1+ anything else below is affected now. (See the really transparent "Giant Version-Tag-List")
"Curtis: 8.2 was released in April 2022. It will not receive an update according to this policy."
Yeah that kinda explains it in a way, would be more transparent if the text would say, other releases are not supported anymore, therefore only 9.x+ basically, but yeah i agree.
Also thanks to Atlassian meaning 73868399605e , i hope whatever process they had where this wasnt covered will be revisited and this updated information grade will become the new standard, for better transparency for everyone and be better informed about IT-Sec related topics.