Lucene search

AtlassianCVE-2017-8907

HistoryJun 14, 2017 - 8:29 p.m.

CVE-2017-8907

2017-06-1420:29:00

CWE-863

atlassian

web.nvd.nist.gov

atlassian

bamboo

cve-2017-8907

security vulnerability

code execution

unauthorized deployment

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

45.4%

JSON

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

Affected configurations

Nvd

Node

atlassianbambooMatch5.0

atlassianbambooMatch5.0beta1

atlassianbambooMatch5.0beta2

atlassianbambooMatch5.0beta3

atlassianbambooMatch5.0rc1

atlassianbambooMatch5.0.1

atlassianbambooMatch5.1

atlassianbambooMatch5.1.1

atlassianbambooMatch5.2

atlassianbambooMatch5.2.1

atlassianbambooMatch5.2.2

atlassianbambooMatch5.3

atlassianbambooMatch5.4

atlassianbambooMatch5.4.1

atlassianbambooMatch5.4.2

atlassianbambooMatch5.5

atlassianbambooMatch5.6

atlassianbambooMatch5.6.1

atlassianbambooMatch5.6.2

atlassianbambooMatch5.7

atlassianbambooMatch5.7.1

atlassianbambooMatch5.7.2

atlassianbambooMatch5.8

atlassianbambooMatch5.8.1

atlassianbambooMatch5.8.2

atlassianbambooMatch5.8.5

atlassianbambooMatch5.9

atlassianbambooMatch5.9.1

atlassianbambooMatch5.9.2

atlassianbambooMatch5.9.3

atlassianbambooMatch5.9.4

atlassianbambooMatch5.9.7

atlassianbambooMatch5.11.3

atlassianbambooMatch5.12.0

atlassianbambooMatch5.12.1

atlassianbambooMatch5.12.2

atlassianbambooMatch5.12.4

atlassianbambooMatch5.12.5

atlassianbambooMatch5.13.0

atlassianbambooMatch5.13.1

atlassianbambooMatch5.13.2

atlassianbambooMatch5.14.0

atlassianbambooMatch5.14.1

atlassianbambooMatch5.14.2

atlassianbambooMatch5.14.3

atlassianbambooMatch5.14.4.1

atlassianbambooMatch5.14.5

atlassianbambooMatch5.15.0

atlassianbambooMatch5.15.2

atlassianbambooMatch5.15.3

atlassianbambooMatch5.15.4

atlassianbambooMatch5.15.5

atlassianbambooMatch6.0.0

VendorProductVersionCPE
atlassianbamboo5.0cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*
atlassianbamboo5.0cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*
atlassianbamboo5.0cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*
atlassianbamboo5.0cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*
atlassianbamboo5.0cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*
atlassianbamboo5.0.1cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*
atlassianbamboo5.1cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*
atlassianbamboo5.1.1cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*
atlassianbamboo5.2cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*
atlassianbamboo5.2.1cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	bamboo	5.0	cpe:2.3:a:atlassian:bamboo:5.0:::::::*
atlassian	bamboo	5.0	cpe:2.3:a:atlassian:bamboo:5.0:beta1::::::
atlassian	bamboo	5.0	cpe:2.3:a:atlassian:bamboo:5.0:beta2::::::
atlassian	bamboo	5.0	cpe:2.3:a:atlassian:bamboo:5.0:beta3::::::
atlassian	bamboo	5.0	cpe:2.3:a:atlassian:bamboo:5.0:rc1::::::
atlassian	bamboo	5.0.1	cpe:2.3:a:atlassian:bamboo:5.0.1:::::::*
atlassian	bamboo	5.1	cpe:2.3:a:atlassian:bamboo:5.1:::::::*
atlassian	bamboo	5.1.1	cpe:2.3:a:atlassian:bamboo:5.1.1:::::::*
atlassian	bamboo	5.2	cpe:2.3:a:atlassian:bamboo:5.2:::::::*
atlassian	bamboo	5.2.1	cpe:2.3:a:atlassian:bamboo:5.2.1:::::::*

Rows per page:

1-10 of 531

CNA Affected

[
  {
    "product": "Atlassian Bamboo",
    "vendor": "Atlassian",
    "versions": [
      {
        "status": "affected",
        "version": "5.0.0 <= version < 5.15.7"
      },
      {
        "status": "affected",
        "version": "6.0.0 <= version < 6.0.1"
      }
    ]
  }
]

References

www.securityfocus.com/bid/99090

confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

45.4%

JSON

Related for CVE-2017-8907