PT-2017-18982 · Atlassian · Bamboo

Published

2017-10-12

Updated

2019-10-03

CVE-2017-9514

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Bamboo versions prior to 6.0.5 Bamboo versions 6.1.x prior to 6.1.4 Bamboo versions 6.2.x prior to 6.2.1

Description The issue concerns a REST endpoint that parses a YAML file but does not sufficiently restrict which classes can be loaded. An attacker with login credentials to Bamboo can exploit this to execute Java code of their choice on systems running vulnerable versions of Bamboo.

Recommendations For versions prior to 6.0.5, update to version 6.0.5 or later. For versions 6.1.x prior to 6.1.4, update to version 6.1.4 or later. For versions 6.2.x prior to 6.2.1, update to version 6.2.1 or later.

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2017-9514

Affected Products

Bamboo

PT-2017-18982 · Atlassian · Bamboo

CVE-2017-9514

Weakness Enumeration

Related Identifiers

Affected Products

References · 5