Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 8.1.12 of Bamboo Data Center and Server.

This Third-Party Dependency vulnerability, with CVSS Score(s) of 7.5, and CVSS Vector(s) of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an attacker to expose assets in your environment susceptible to exploitation.

Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

• Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1
• Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.4
• Bamboo Data Center and Server 8.2: Upgrade to a non-vulnerable Bamboo 9.2 or 9.3 listed above
• Bamboo Data Center and Server 8.1: Upgrade to a non-vulnerable Bamboo 9.2 or 9.3 listed above

See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).

The National Vulnerability Database provides the following description for this vulnerability: The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.