CVE-2017-8907

Name of the Vulnerable Software and Affected Versions Atlassian Bamboo versions 5.x through 5.15.6 Atlassian Bamboo versions 6.x through 6.0.0

Description The issue arises from incorrect permission checks for users creating deployment projects. An attacker with login access to Bamboo, but without edit permission for deployment projects, can exploit this to create a deployment project and execute arbitrary code on an available Bamboo Agent, given an existing plan with a green build. By default, a local agent is enabled, allowing code execution on the system hosting Bamboo as the user running Bamboo.

Recommendations For Atlassian Bamboo versions 5.x through 5.15.6, update to version 5.15.7 or later. For Atlassian Bamboo versions 6.x through 6.0.0, update to version 6.0.1 or later.