Atlassian Bamboo 6.x Code Execution Vulnerability

This email refers to the advisory found at
https://confluence.atlassian.com/x/PS9sO .


CVE ID:

* CVE-2018-5224.


Product: Bamboo.

Affected Bamboo product versions:

2.7.0 <= version < 6.3.3
6.4.0 <= version < 6.4.1


Fixed Bamboo product versions:

* for 6.3.x, Bamboo 6.3.3 has been released with a fix for this issue.
* for 6.4.x, Bamboo 6.4.1 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from
version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows
operating system are affected by this vulnerability.



Customers who have upgraded Bamboo to version 6.3.3 or 6.4.1 are not affected.

Customers who have downloaded and installed Bamboo >= 2.7.0 but less than 6.3.3
(the fixed version for 6.3.x) or who have downloaded and installed Bamboo >=
6.4.0 but less than 6.4.1 (the fixed version for 6.4.x) please upgrade your
Bamboo installations immediately to fix this vulnerability.



Argument injection through Mercurial repository uri handling on Windows
(CVE-2018-5224)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Bamboo did not correctly check if a configured Mercurial repository URI
contained values that the Windows operating system may consider argument
parameters. An attacker who has permission to create a repository in Bamboo,
edit an existing plan in Bamboo that has a non-linked Mercurial repository, or
create a plan in Bamboo either globally or in a project using Bamboo Specs can
execute code of their choice on systems that run a vulnerable version of Bamboo
on the Windows operating system.
Versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for
6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running
on the Windows operating system are affected by this vulnerability. This issue
can be tracked at: https://jira.atlassian.com/browse/BAM-19743 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Bamboo version 6.3.3
* Bamboo version 6.4.1

Remediation:

Upgrade Bamboo to version 6.4.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Bamboo 6.3.x and cannot upgrade to 6.4.1, upgrade to version
6.3.3.


For a full description of the latest version of Bamboo, see
the release notes found at
https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can
download the latest version of Bamboo from the download centre found at
https://www.atlassian.com/software/bamboo/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

#  0day.today [2018-04-10]  #