-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
8.0.0, (45)
8.0.1, 8.0.2, 8.0.3, 8.1.1, 8.0.4, 8.0.5, 8.1.2, 8.0.6, 8.2.0, 8.1.3, 8.0.7, 8.1.4, 8.2.1, 8.1.5, 8.2.2, 8.1.6, 9.0.0, 8.0.8, 8.1.7, 8.2.3, 8.1.8, 8.2.4, 8.0.9, 8.0.10, 8.1.9, 8.2.5, 8.2.6, 8.1.10, 8.0.11, 9.0.1, 9.1.0, 8.0.12, 8.1.11, 8.2.7, 9.0.2, 9.3.0, 9.2.1, 9.1.2, 8.2.8, 9.0.3, 8.0.13, 8.1.12, 9.1.3, 9.0.4, 8.2.9 -
None
-
7.5
-
High
-
CVE-2023-22506
-
Penetration Testing
-
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
-
Injection, RCE (Remote Code Execution)
-
Bamboo Data Center, Bamboo Server
This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Vulnerable versions
All Bamboo Server and Data Center versions earlier than 9.2.3 and 9.3.1 are vulnerable.
Fixed versions
All Bamboo versions that contain a fix to this issue are listed on the "Fix Version/s" field of this ticket.
Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).
This vulnerability was reported via our Penetration Testing program.
[BAM-22400] Injection, RCE (Remote Code Execution) in Bamboo
Only 9.2 branch (which is a LTS release) and 9.3 are listed as receiving the fix.
Also, if you look at the Security Bugfix Policy, you find the following:
Issue new bug fix releases for:
- Any versions designated an 'Long Term Support release' that have not reached end of life.
- All feature versions released within 6 months of the date the fix is released.
8.2 was released in April 2022. It will not receive an update according to this policy.
@Curtis we are facing the same issue as @jammsen. Since the original question is still 
unanswered, here is a quote:
We currently have 8.2.6 live, is Bamboo 8.2.6 affected and if yes, whats the fix path, without Platform upgrading untested content from almost 2 years of features?
When will a patch be available for 8.2?
@jammsen 8.2.5 and 8.2.6 are listed as affected. Maybe they weren't at first, but they are now.
Atlassian? Hello?
Guys we are paying customers ... why is no one on your end willing to make a clear statement which statement is true?!
We have days old un-answered questions if 8.25 and 8.2.6 is affected .... Thats because this article still has 2 statements that contradict each other and make this issue "missinforming" .... Its either only "8.0.0, 8.1.1, 8.2.0, 9.1.0, 9.3.0, 9.2.1" is affected OR "All Bamboo Server and Data Center versions earlier than 9.2.3 and 9.3.1 are vulnerable". Thoose are 2 statements that dont fit to each other, you cant have it both ways. Explain the truth and stick to it ....
This is a CVE .... this has high security implications, why is no one answering?! Do you guys take IT-Security and customer safety not that serious? Whats going on?
Thanks 73868399605e for the update.
But there is still contradicting information in this issue. Either "ALL" below 9.2.3 and 9.3.1 are affected OR only theese versions are affected "8.0.0, 8.1.1, 8.2.0, 9.1.0, 9.3.0, 9.2.1".
Which one is true? We run on 8.2.6 right now, in one case we have to do something on the other case we dont. So now we are confused because both seem to be true according to this issue, which is not really helpful.
Hello, it feels like here is a certain amount of conflicting information/missinformation/uncertainty happening.
- First it said it was only Bamboo 8.0.0 affected
- Then it said "All Bamboo Server and Data Center versions earlier than 9.2.3 and 9.3.1 are vulnerable." but not how to fix
- Now it says, Affected Versions: 8.0.0, 8.1.1, 8.2.0, 9.1.0, 9.3.0, 9.2.1 BUT the only fixes are in 9.2.3 and 9.3.1
Please Altassian clarify which Plattform and Major versions are affected now and how the fix/migration path is to a/the respective Release-Versions.
We currently have 8.2.6 live, is Bamboo 8.2.6 affected and if yes, whats the fix path, without Platform upgrading untested content from almost 2 years of features?
Anyone can update that which version are affected for this CVE? I can see only Bamboo 8.0 version.
What about the Bamboo 8.2.5 version? is it affected?
What about the bugfix version for Bamboo 8.0 version? is there any plan to backport bugfix for Bamboo 8.0 version.
This documentation shows that CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center. It says nothing about affected versions of Bamboo Server, does that mean that Bamboo Server is not affected or what? Some more detail would be appreciated. Maybe a list showing affected versions of Data Center and Server since you have both listed in the Affected Products.
does this only affect data center or also server?
the text explicitly mentions data center but "Affected Product(s)" also lists server.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.5 => High severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | High |
| Availability | High |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
"Curtis: 8.2.5 and 8.2.6 are listed as affected. Maybe they weren't at first, but they are now."
Yes the were added afterwards on the day i wrote my "we are paying customers" text. I know, thanks anyway.
"Justin Isler: When will a patch be available for 8.2?"
No sadly there will not be one, you will have to upgrade to either 9.2.3+ or 9.3.1+ anything else below is affected now. (See the really transparent "Giant Version-Tag-List")
"Curtis: 8.2 was released in April 2022. It will not receive an update according to this policy."
Yeah that kinda explains it in a way, would be more transparent if the text would say, other releases are not supported anymore, therefore only 9.x+ basically, but yeah i agree.
Also thanks to Atlassian meaning 73868399605e , i hope whatever process they had where this wasnt covered will be revisited and this updated information grade will become the new standard, for better transparency for everyone and be better informed about IT-Sec related topics.