SQLi (SQL Injection) org.postgresql:postgresql Dependency in Bamboo Data Center and Server

This unexploitable Critical severity vulnerability has a lower assessed risk by Atlassian, as a result it’s disclosed in the Monthly Security Bulletin instead of a Critical Security Advisory. Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

This Critical severity org.postgresql:postgresql Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server.

This org.postgresql:postgresql Dependency vulnerability, with a CVSS Score of 10 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

||Affected versions||Fixed versions||
|from 9.5.0 to 9.5.1|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only|
|from 9.4.0 to 9.4.3|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4|
|from 9.3.0 to 9.3.6|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4|
|from 9.2.0 to 9.2.11 (LTS)|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)|
|from 9.1.0 to 9.1.3|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)|
|from 9.0.0 to 9.0.4|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)|
|from 8.2.0 to 8.2.9|9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)|
|Any earlier versions |9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)|

PLEASE NOTE: Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).

The National Vulnerability Database provides the following description for this vulnerability: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.