CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
55.0%
This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to
modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Ā
Ā
Atlassian recommends that you upgrade your instance to latest version. If youāre unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html|https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives|https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was reported via our Penetration Testing program.
[
{
"vendor": "Atlassian",
"product": "Bamboo Data Center",
"versions": [
{
"version": "< 8.0.0",
"status": "unaffected"
},
{
"version": ">= 8.0.0",
"status": "affected"
},
{
"version": ">= 9.2.3",
"status": "unaffected"
},
{
"version": ">= 9.3.1",
"status": "unaffected"
}
]
},
{
"vendor": "Atlassian",
"product": "Bamboo Server",
"versions": [
{
"version": "< 8.0.0",
"status": "unaffected"
},
{
"version": ">= 8.0.0",
"status": "affected"
},
{
"version": ">= 9.2.3",
"status": "unaffected"
},
{
"version": ">= 9.3.1",
"status": "unaffected"
}
]
}
]