• Type: Public Security Vulnerability
• Resolution: Done
• Priority: High
• Fix Version/s: 9.2.8
• Affects Version/s: 9.2.1, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[BAM-25614] RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

Paul Theriault made changes - 16/Jan/2024 6:20 AM

Resolution		New: Done [ 17 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Paul Theriault made changes - 16/Jan/2024 6:19 AM

Security

Original: Atlassian Staff [ 10750 ]

Zachary Echouafni made changes - 11/Jan/2024 4:09 PM

Vulnerability Classes

Original: Patch Management [ 18158 ]

New: RCE (Remote Code Execution) [ 18143 ]

Zachary Echouafni made changes - 11/Jan/2024 4:09 PM

Summary

Original: org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

New: RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

Alexey Chystoprudov made changes - 10/Jan/2024 2:20 PM

Description

Original: This High severity org.jvnet.hudson:xstream Dependency vulnerability was introduced in versions 9.1.3 and 9.2.1 of Bamboo Data Center and Server. This org.jvnet.hudson:xstream Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.8 See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). The National Vulnerability Database provides the following description for this vulnerability: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

New: This High severity org.jvnet.hudson:xstream Dependency vulnerability was introduced in versions 9.2.1 of Bamboo Data Center and Server. This org.jvnet.hudson:xstream Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:  * Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.8 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). The National Vulnerability Database provides the following description for this vulnerability: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Alexey Chystoprudov made changes - 10/Jan/2024 2:20 PM

Affects Version/s

Original: 9.1.3 [ 104995 ]

Guillermo Jimenez made changes - 09/Jan/2024 8:48 PM

Description

Original: This High severity Third-Party Dependency vulnerability was introduced in versions 9.1.3 and 9.2.1 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.8 See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). The National Vulnerability Database provides the following description for this vulnerability: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

New: This High severity org.jvnet.hudson:xstream Dependency vulnerability was introduced in versions 9.1.3 and 9.2.1 of Bamboo Data Center and Server. This org.jvnet.hudson:xstream Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.8 See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). The National Vulnerability Database provides the following description for this vulnerability: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Guillermo Jimenez made changes - 09/Jan/2024 8:47 PM

Summary

Original: Third-Party Dependency in Bamboo Data Center and Server

New: org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

Security Metrics Bot made changes - 14/Dec/2023 2:45 PM

Labels

Original: security

New: advisory advisory-to-release dont-import security

Security Metrics Bot created issue - 14/Dec/2023 2:45 PM