Vulnerabilites related to Atlassian - Bamboo
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103110 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19663 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103110 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19663 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E848FD-F297-4BA3-A186-F1C8494373CA",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso de actualizaci\u00f3n de administraci\u00f3n de usuarios en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen los datos de usuario, incluyendo las contrase\u00f1as, mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-18042",
"lastModified": "2024-11-21T03:19:14.000",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.983",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-03 01:29
Modified
2025-04-20 01:37
Severity ?
Summary
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/536747/100/0/threaded | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://confluence.atlassian.com/x/Hw7RLg | Vendor Advisory | |
| cve@mitre.org | https://jira.atlassian.com/browse/BAM-16439 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/536747/100/0/threaded | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/x/Hw7RLg | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-16439 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E89422DD-784F-4FCA-BD0E-78C707620E37",
"versionEndExcluding": "5.8.5",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C913313-26B3-4854-964B-B091B74CC66E",
"versionEndExcluding": "5.9.7",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource."
},
{
"lang": "es",
"value": "Bamboo 2 2 en versiones anteriores a la 5 8 5 y en versiones 5 9 x anteriores a la 5 9 7 permite que los atacantes remotos con acceso a la interfaz web de Bamboo ejecuten c\u00f3digo Java mediante un recurso no especificado."
}
],
"id": "CVE-2015-6576",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:00.607",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-20 18:15
Modified
2024-11-21 06:53
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "218C960A-04C6-4242-BEBA-C81CF5F1F722",
"versionEndExcluding": "7.2.10",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E360CDE0-FD1E-4337-8268-DB89CF605EE0",
"versionEndExcluding": "8.0.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0913EE0-2046-4E7E-966D-DC894E34D12B",
"versionEndExcluding": "8.1.8",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D182C1B1-A5FF-4777-9835-4E9114BB68DC",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCD53E4-3169-4E8A-88D1-38BE51D09DD3",
"versionEndExcluding": "7.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B878E40-95A7-40A7-9C52-6BC0C2FD3F54",
"versionEndExcluding": "7.17.8",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46305D5A-7F7B-4A04-9DAD-E582D1193A7E",
"versionEndExcluding": "7.19.5",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A96B135B-9272-457E-A557-6566554262D3",
"versionEndExcluding": "7.20.2",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62956861-BEDE-40C8-B628-C831087E7BDB",
"versionEndExcluding": "7.21.2",
"versionStartIncluding": "7.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7A85565F-3F80-4E00-A706-AB4B2EAA4AFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99E2E3C0-CDF0-4D79-80A6-85E71B947ED9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C543CA6-8E8A-476C-AB27-614DF4EC68A5",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45FD913B-45DE-4CA8-9733-D62F54B19E74",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12E753EB-0D31-448B-B8DE-0A95434CC97C",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE114494-74F0-454C-AAC4-8B8E5F1C67D0",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90BB3572-29ED-415F-AD34-00EB76271F9C",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EF756A-B4E9-4E5D-BE6F-02CE95F12C9C",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A56B6A10-E23F-49EF-8C07-1AEDFCAE2788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8BE634-1599-4790-9410-6CA43BC60C4D",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52E68DFD-48F5-4949-AFEA-3829CA5DFC04",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCDEC6C-4515-4CAA-9D82-7BF68A3AAE7E",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9948F94-DF67-4E3C-8CD4-417D57FBC60F",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30E63ECB-85A8-4D41-A9B5-9FFF18D9CDB1",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "694171BD-FAE2-472C-8183-04BCA2F7B9A7",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC5E81B-DA4B-45E7-9584-4B576E49FD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE028964-B3FC-4883-9967-68DE46EE7F6F",
"versionEndExcluding": "4.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57DC9E2A-4C89-420D-9330-F11E56BF2F83",
"versionEndExcluding": "4.4.2",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C50A718F-C67B-4462-BB7E-F80408DEF07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92329A2E-13E8-4818-85AB-3E7F479411EF",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DDE751-CA88-4CFB-9E60-4243851B4B53",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91B8507-A7A7-4B74-9999-F1DEA9F487A9",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963AE427-2897-42CB-AE11-654D700E690B",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CD8891-BB97-4AD3-BEE4-6CCA0D8A2D85",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E73A5202-6114-48E6-8F9B-C03B2E707055",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22AB11D-1D73-45DC-803C-146EFED18CDA",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2091E9-0B14-4786-852F-454C56D20839",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "1451C219-8AAA-4165-AE2C-033EF7B6F93A",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*",
"matchCriteriaId": "BD23F987-0F14-4938-BB51-4EE61C24EB62",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "39F77953-41D7-4398-9F07-2A057A993762",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "CADBE0E7-36D9-4F6F-BEE6-A1E0B9428C2A",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "DC0DB08B-2034-4691-A7B2-3E5F8B6318B1",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "97A17BE7-7CCC-46D8-A317-53E2B026DF6E",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en diversos productos de Atlassian permite a un atacante remoto no autenticado causar que sean invocados Filtros Servlet adicionales cuando la aplicaci\u00f3n procesa peticiones o respuestas. Atlassian ha confirmado y corregido el \u00fanico problema de seguridad conocido asociado a esta vulnerabilidad: Omisi\u00f3n de recursos de origen cruzado (CORS). El env\u00edo de una petici\u00f3n HTTP especialmente dise\u00f1ada puede invocar el filtro Servlet usado para responder a las peticiones CORS, resultando en una omisi\u00f3n de CORS. Un atacante que pueda enga\u00f1ar a un usuario para que solicite una URL maliciosa puede acceder a la aplicaci\u00f3n vulnerable con los permisos de la v\u00edctima. Est\u00e1n afectadas las versiones de Atlassian Bamboo anteriores a 8.0.9, desde la 8.1.0 anteriores a 8.1.8 y de la 8.2.0 anteriores a 8.2.4. Las versiones de Atlassian Bitbucket est\u00e1n afectadas anteriores a 7.6.16, desde la 7.7.0 anteriores a 7.17.8, desde la 7.18.0 anteriores a 7.19.5, desde la 7.20.0 anteriores a 7.20.2, desde la 7.21.0 anteriores a 7.21.2, y las versiones 8.0.0 y 8.1.0. Est\u00e1n afectadas las versiones de Atlassian Confluence anteriores a 7.4.17, desde la 7.5.0 anteriores a 7.13.7, desde la 7.14.0 anteriores a 7.14.3, desde la 7.15.0 anteriores a 7.15.2, desde la 7.16.0 anteriores a 7.16.4, desde la 7.17.0 anteriores a 7.17.4 y la versi\u00f3n 7.21.0. Est\u00e1n afectadas las versiones de Atlassian Crowd anteriores a 4.3.8, desde la 4.4.0 hasta 4.4.2, y la versi\u00f3n 5.0.0. Est\u00e1n afectadas las versiones de Atlassian Fisheye y Crucible anteriores a 4.8.10. Est\u00e1n afectadas las versiones de Atlassian Jira anteriores a 8.13.22, desde la 8.14.0 hasta 8.20.10, y desde la 8.21.0 hasta 8.22.4. Las versiones de Atlassian Jira Service Management est\u00e1n afectadas anteriores a 4.13.22, desde la 4.14.0 anteriores a 4.20.10, y desde la 4.21.0 anteriores a 4.22.4"
}
],
"id": "CVE-2022-26137",
"lastModified": "2024-11-21T06:53:30.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-20T18:15:08.557",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-180"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-08 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2764BBDA-4FA2-4FFD-A126-823CB52D0D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42875600-4DA1-4574-9F9D-0FB8AE61DD10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3C79631B-6B9F-4FC0-9B12-17CD656A1CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2337D88-9821-4794-B0C8-6FA73BD158C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F087A2-790D-4D36-82F0-83C6BF504216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2162E45E-58ED-43B5-905F-C2E7475E0DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69BE15C9-542E-4586-8B05-BBE1508266E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8F7C6B-C6DF-4106-83FA-C8BCB2A0D02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3D461805-C648-420C-9352-64634DC06CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F995A4F3-EDB9-431C-864E-253EACB523A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B407F0C-D5CA-4D33-A124-CBEC74B5EF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1B608F-A264-4FFB-9250-311ECEC065E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5259D2D7-ABAE-4024-AA80-77D7F6A2AD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E42A908E-D53D-4A7A-917E-FB66C846CC55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41AEA85-6758-448C-B7AC-87E252380BBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F1728-FBE3-4FEF-8CA9-E613D5873FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5021430D-C84B-4F67-A490-A0D6C87B25D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "64083DE3-8072-4CAC-B374-5FF402E048A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A940B1E-3E73-4A3E-912B-BF482776CF5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DB6A4F7-4827-4965-8790-41A60AAD98C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA69F796-66AC-49BA-BF8C-348E6FDB2176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE5577-DFD8-42E7-A70A-3402D6386E79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA5C7C8-CDD5-4D22-A0B6-F7DEC87CDC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B19625B6-CDBE-485B-BAF1-53ABB770C7B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "866C3CB4-B8FE-4D22-B130-67139D193B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD2FA24-8D68-4F31-8F88-A0930A92591B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F3C3168-20E6-41D2-845B-5A661DCF6A21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BD0EAF-1C94-43A0-9133-9ADD8CAB8F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4074958-998F-4333-8C81-45D0A765FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5E5257-9004-4874-86A0-A3AB4230CE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F3A23-71C8-4F65-A739-26BAAF1D9620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2539517E-733A-427A-A0DA-F20E6C8A0A0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE47E00-3496-4E22-9BDC-7BAF77516249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B207B5EC-B2F2-4ED2-94B7-20CC15D542B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "70595742-7AB8-4A9D-94B4-8EADA093DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DD49DEBD-557F-4D65-9DA3-5A4CA0CB014C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE8039C-2F64-4056-AADC-66408FADB090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36190377-CD45-458D-A533-5D68FC38753F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2A7E6EF-CEF1-4A6A-8C1F-3BA2CF17D9B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DF4FF-4C86-4D9F-882C-96482F69F871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7760BAB-C6F3-40B4-8A65-0778C91B2481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D38BBD36-6F5F-44E4-8B74-A1F2E6E9ADE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "173874C7-0A68-447D-9284-6904BBBA8D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "124E0B33-9C58-4AC9-9064-EE9F29FA56CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89526493-E441-43A6-9C8B-FF16AFD9060F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1921815-49AD-474C-8898-614C2209CAEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0761166B-7FD9-4574-8C13-0336343ADC46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B13D9DB-83A0-42AE-A665-214A71890ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF901B9B-49DE-4676-8245-E280CF5A7EFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1D8D9B-E39E-4E77-831E-1D417ACEA5C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "951E6F5B-C905-40F2-B164-647A3E948EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B408EA00-A128-4927-BFBB-AF0B42EABA56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6E80ED-818F-4438-BD2A-AD4847178ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0876B2-B95C-464B-9479-CEAA9A64E01A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ABFD011B-EC46-4BFC-AAAB-ABE6612B85E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DCAE8C05-486F-4EC5-B084-2D55331C5EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D58EB432-8BFF-4CEC-B46C-695E77E2435C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "103A0455-79B1-4135-9384-C673A2459AEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port."
},
{
"lang": "es",
"value": "M\u00faltiples servicios no especificados en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 no requieren autenticaci\u00f3n, lo que permite a atacantes remotos obtener informaci\u00f3n sensible, modificar ajustes o administrar agentes de construcci\u00f3n a trav\u00e9s de vectores desconocidos que involucran al puerto JMS."
}
],
"id": "CVE-2015-8361",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-08T19:59:04.563",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-08 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2764BBDA-4FA2-4FFD-A126-823CB52D0D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42875600-4DA1-4574-9F9D-0FB8AE61DD10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3C79631B-6B9F-4FC0-9B12-17CD656A1CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2337D88-9821-4794-B0C8-6FA73BD158C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F087A2-790D-4D36-82F0-83C6BF504216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2162E45E-58ED-43B5-905F-C2E7475E0DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69BE15C9-542E-4586-8B05-BBE1508266E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8F7C6B-C6DF-4106-83FA-C8BCB2A0D02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3D461805-C648-420C-9352-64634DC06CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F995A4F3-EDB9-431C-864E-253EACB523A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B407F0C-D5CA-4D33-A124-CBEC74B5EF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1B608F-A264-4FFB-9250-311ECEC065E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5259D2D7-ABAE-4024-AA80-77D7F6A2AD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E42A908E-D53D-4A7A-917E-FB66C846CC55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41AEA85-6758-448C-B7AC-87E252380BBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F1728-FBE3-4FEF-8CA9-E613D5873FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5021430D-C84B-4F67-A490-A0D6C87B25D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "64083DE3-8072-4CAC-B374-5FF402E048A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A940B1E-3E73-4A3E-912B-BF482776CF5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DB6A4F7-4827-4965-8790-41A60AAD98C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA69F796-66AC-49BA-BF8C-348E6FDB2176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE5577-DFD8-42E7-A70A-3402D6386E79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA5C7C8-CDD5-4D22-A0B6-F7DEC87CDC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B19625B6-CDBE-485B-BAF1-53ABB770C7B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "866C3CB4-B8FE-4D22-B130-67139D193B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD2FA24-8D68-4F31-8F88-A0930A92591B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F3C3168-20E6-41D2-845B-5A661DCF6A21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BD0EAF-1C94-43A0-9133-9ADD8CAB8F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4074958-998F-4333-8C81-45D0A765FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5E5257-9004-4874-86A0-A3AB4230CE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F3A23-71C8-4F65-A739-26BAAF1D9620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2539517E-733A-427A-A0DA-F20E6C8A0A0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE47E00-3496-4E22-9BDC-7BAF77516249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B207B5EC-B2F2-4ED2-94B7-20CC15D542B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "70595742-7AB8-4A9D-94B4-8EADA093DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DD49DEBD-557F-4D65-9DA3-5A4CA0CB014C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE8039C-2F64-4056-AADC-66408FADB090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36190377-CD45-458D-A533-5D68FC38753F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2A7E6EF-CEF1-4A6A-8C1F-3BA2CF17D9B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DF4FF-4C86-4D9F-882C-96482F69F871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7760BAB-C6F3-40B4-8A65-0778C91B2481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D38BBD36-6F5F-44E4-8B74-A1F2E6E9ADE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "173874C7-0A68-447D-9284-6904BBBA8D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "124E0B33-9C58-4AC9-9064-EE9F29FA56CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89526493-E441-43A6-9C8B-FF16AFD9060F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1921815-49AD-474C-8898-614C2209CAEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0761166B-7FD9-4574-8C13-0336343ADC46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B13D9DB-83A0-42AE-A665-214A71890ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF901B9B-49DE-4676-8245-E280CF5A7EFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1D8D9B-E39E-4E77-831E-1D417ACEA5C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "951E6F5B-C905-40F2-B164-647A3E948EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B408EA00-A128-4927-BFBB-AF0B42EABA56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6E80ED-818F-4438-BD2A-AD4847178ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0876B2-B95C-464B-9479-CEAA9A64E01A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ABFD011B-EC46-4BFC-AAAB-ABE6612B85E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DCAE8C05-486F-4EC5-B084-2D55331C5EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D58EB432-8BFF-4CEC-B46C-695E77E2435C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "103A0455-79B1-4135-9384-C673A2459AEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message."
},
{
"lang": "es",
"value": "La API Ignite Realtime Smack XMPP, como se utiliza en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0, permite a servidores XMPP remotos configurados ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de datos serializados en un mensaje XMPP."
}
],
"id": "CVE-2014-9757",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-08T19:59:00.127",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-05-22 15:55
Modified
2025-04-11 00:51
Severity ?
Summary
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | bamboo | * | |
| atlassian | bamboo | * | |
| atlassian | confluence | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crucible | * | |
| atlassian | crucible | * | |
| atlassian | crucible | * | |
| atlassian | fisheye | * | |
| atlassian | fisheye | * | |
| atlassian | fisheye | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C1EA6F7-CF4A-43C8-AD67-4A3E97D7B0BC",
"versionEndExcluding": "3.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B53F201-032F-4672-A271-8D424B939775",
"versionEndExcluding": "3.4.5",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4059F4D-831C-467C-91BC-B49BB7A5487E",
"versionEndExcluding": "3.5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9718C5D3-364A-4BD0-B60D-5FCEA8B1BAFF",
"versionEndExcluding": "4.0.7",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "121D6C9B-9746-423C-9A0A-13697F7B490B",
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB8E3563-1CF4-4665-8CD3-CAEFFBB6B3B6",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55437340-1D44-41C7-B82A-6E6473C17B62",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68C5F90D-1AB3-409E-9A84-8EF42735BCD9",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C99026A0-1B4A-4CF7-B7E5-DC1231302CEC",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28E820F2-4E46-4744-9EE9-C9CDEF78B8D7",
"versionEndExcluding": "2.4.1",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD4C65C4-2C22-48F2-B4F6-D40915374FF1",
"versionEndExcluding": "2.5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "263668EC-0168-4FC2-82E3-6606269AE372",
"versionEndExcluding": "2.6.8",
"versionStartIncluding": "2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B62B11D8-BC78-431B-91D4-F6CE14E0C7D0",
"versionEndExcluding": "2.7.12",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B117D3-9D05-4192-9A40-B4610D636DE7",
"versionEndExcluding": "2.5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3768A3A7-B5F8-46C7-A932-1C779C167216",
"versionEndExcluding": "2.6.8",
"versionStartIncluding": "2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4779A8F0-9CDB-46F7-9EB6-B155187218EB",
"versionEndExcluding": "2.7.12",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20F692D8-2A86-403D-82C6-363C9798BD3A",
"versionEndExcluding": "5.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
},
{
"lang": "es",
"value": "Atlassian JIRA antes de v5.0.1; Confluence antes de v3.5.16, v4.0 antes de v4.0.7, y v4.1 antes del v4.1.10; \u0027FishEye and Crucible\u0027 antes de v2.5.8, v2.6 antes de v2.6.8, y v2.7 antes de v2.7.12; Bamboo antes de v3.3.4 y v3.4.x antes de v3.4.5, y Crowd antes de v2.0.9, v2.1 antes de v2.1.2, v2.2 antes de v2.2.9, v2.3 antes de v2.3.7 y v2.4 antes de v2.4.1 no restringen correctamente las capacidades de los analizadores XML de de terceros, lo que permite leer ficheros de su elecci\u00f3n o causar una denegaci\u00f3n de servicio (por excesivo consumo de recursos) a atacantes remotos a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-2926",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2012-05-22T15:55:02.853",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/49146"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/49146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19664 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19664 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E848FD-F297-4BA3-A186-F1C8494373CA",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso saveConfigureSecurity en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen las opciones de seguridad mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-18080",
"lastModified": "2024-11-21T03:19:19.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:01.047",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103070 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19661 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103070 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19661 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44C21470-8C72-47DC-AA27-6E952CFCC2F7",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
},
{
"lang": "es",
"value": "El recurso viewDeploymentVersionCommits en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versi\u00f3n."
}
],
"id": "CVE-2017-18040",
"lastModified": "2024-11-21T03:19:13.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.873",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103070"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-13 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102193 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Patch, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-18843 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102193 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-18843 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D05A0A86-3C17-4983-B592-C95CC753A2B2",
"versionEndExcluding": "6.1.6",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF607C7-BC76-4660-B9F6-C8D56D19BE20",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
},
{
"lang": "es",
"value": "Bamboo no comprob\u00f3 que el nombre de una rama en un repositorio de Mercurial conten\u00eda par\u00e1metros de argumento. Un atacante que tiene permiso para crear un repositorio en Bamboo, editar un plan existente que tenga un repositorio de Mercurial no enlazado, crear o editar un plan en el que haya al menos un repositorio de Mercurial enlazado para el que el atacante tenga permiso de utilizaci\u00f3n, o commit con ID en un repositorio de Mercurial empleado por un plan Bamboo con la detecci\u00f3n de ramas habilitada puede ejecutar el c\u00f3digo que elija en sistemas que ejecuten una versi\u00f3n vulnerable de Bamboo Server. Las versiones de Bamboo que comienzan por 2.7.0 anteriores a la 6.1.6 (la versi\u00f3n corregida para 6.1.x) y desde la 6.2.0 anteriores a la 6.2.5 (la versi\u00f3n corregida para 6.2.x) se han visto afectadas por esta vulnerabilidad."
}
],
"id": "CVE-2017-14590",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-13T15:29:00.297",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-12 13:29
Modified
2025-04-20 01:37
Severity ?
Summary
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/101269 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/101269 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DACC3EE-5898-457C-B9FE-DCBA2634DE4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "67BEBCA5-8704-4557-8119-AF4C0799394E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "451870E0-326D-424F-86E9-B04A177B7D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "79E39376-B888-40C9-9DC6-036D5C573823",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "09F1CF26-C2CA-4BEB-B3E1-45B280FE4F9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "374EF21B-238E-4173-AABB-771B4CC636B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83D8E6A7-EA13-474B-B7DD-3EC9F05438D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DA5E64B2-EA6A-433A-ACF7-540F8273CFE8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo."
},
{
"lang": "es",
"value": "Bamboo en versiones anteriores a la 6.0.5, 6.1.x anteriores a la 6.1.4 y 6.2.x anteriores a la 6.2.1 ten\u00eda un endpoint REST que analizaba sint\u00e1cticamente un archivo YAML y no restring\u00eda suficientemente qu\u00e9 clases se pod\u00edan cargar. Un atacante que pueda iniciar sesi\u00f3n en Bamboo como un usuario ser\u00eda capaz de explotar esta vulnerabilidad para ejecutar c\u00f3digo Java de su elecci\u00f3n en sistemas que tienen versiones vulnerables de Bamboo."
}
],
"id": "CVE-2017-9514",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-12T13:29:00.200",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101269"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-08 04:15
Modified
2024-11-21 04:27
Severity ?
Summary
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:troubleshooting_and_support:*:*:*:*:*:*:*:*",
"matchCriteriaId": "093A33BE-D93B-4CBC-9BF3-B37207CBAD84",
"versionEndExcluding": "1.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A17D5A1F-2408-4768-9DC3-F850B21B64AD",
"versionEndExcluding": "6.10.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF79AB35-E420-4475-AD28-FC219C636C8B",
"versionEndExcluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC203A88-CA6B-4F1A-A68D-9C2CDE8F67FC",
"versionEndExcluding": "7.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1361951B-0754-45FF-96E4-8A886C24411B",
"versionEndExcluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40EB5F54-C9BD-4299-A616-E3A8E20C77FB",
"versionEndExcluding": "4.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "452D57FA-0A0B-486F-9D4B-45487B68FFB9",
"versionEndExcluding": "4.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76FE371E-3000-464E-ADEE-033BF2989429",
"versionEndExcluding": "8.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
},
{
"lang": "es",
"value": "El plugin Atlassian Troubleshooting and Support anterior a versi\u00f3n 1.17.2, permite a un usuario sin privilegios iniciar escaneos de registros peri\u00f3dicos y enviar los resultados a una direcci\u00f3n de correo electr\u00f3nico especificada por el usuario debido a una falta de comprobaci\u00f3n de autorizaci\u00f3n. El mensaje de correo electr\u00f3nico puede contener informaci\u00f3n de configuraci\u00f3n sobre la aplicaci\u00f3n en la que el plugin est\u00e1 instalado. Se incluye una versi\u00f3n vulnerable del plugin con Bitbucket Server/Data Center versiones anteriores a 6.6.0, Confluence Server / Data Center versiones anteriores a 7.0.1, Jira Server / Data Center versiones anteriores a 8.3.2, Crowd / Crowd Data Center versiones anteriores a 3.6.0, Fisheye versiones anteriores a 4.7.2, Crucible versiones anteriores a 4.7.2 y Bamboo versiones anteriores a 6.10.2."
}
],
"id": "CVE-2019-15005",
"lastModified": "2024-11-21T04:27:51.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-08T04:15:10.307",
"references": [
{
"source": "security@atlassian.com",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-14 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/99090 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99090 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.11.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FA0783B9-8610-4710-B0D6-50220D72231A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0FA3E09-85DE-48CA-AEC8-ECC5FAA53A5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B16FA0-4131-4C34-AEC8-69F1336FC496",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E2EBFD-D17C-4539-93D6-5542FC81BD88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.4:*:*:*:*:*:*:*",
"matchCriteriaId": "34040BD5-D443-474E-9AD8-6CD4B2F1F31D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0FDCCD33-4DB2-4907-A122-D1EE0B41AAC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EBC89FA-A835-45A8-B37A-90ED9134F7D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "30879C5B-3AC0-46B4-81F5-186ED881840F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "49E6287B-03F0-443A-ADCB-D93ED072409C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B857798E-7088-40D3-A6EF-9F1D674A7DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1A330DDD-E507-42C4-B458-F9825059AF53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB54ED38-ABD5-4979-BDB8-0461BA4FE904",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "07E21495-A028-4F71-B21C-FBADF3BA8543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "493B321D-0034-4AED-8270-3055470BFA77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBFD20A5-B693-4801-9662-79FD68D26FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "888DEC36-D4F3-403B-A2F8-83B3AF307934",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "87A11F1D-704A-4FE8-98A6-F1880E20B8A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7CB66A4E-79FD-4793-9218-65A3472ED517",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D505A45B-431C-4C5A-B6FC-96C32D31FB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E03895CD-67B9-4F3C-A4C5-9DBED3AF3014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DACC3EE-5898-457C-B9FE-DCBA2634DE4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo."
},
{
"lang": "es",
"value": "Atlassian Bamboo, en versiones 5.x anteriores a la 5.15.7 y versiones 6.x anteriores a la 6.0.1, no comprob\u00f3 correctamente si un usuario que crea un proyecto de despliegue ten\u00eda el permiso de edici\u00f3n y, por lo tanto, los derechos para hacerlo. Un atacante que pueda iniciar sesi\u00f3n en Bamboo como usuario sin el permiso de edici\u00f3n para proyectos de despliegue puede emplear esta vulnerabilidad, siempre y cuando exista un plan con un \"green build\" para crear un proyecto de despliegue y ejecute c\u00f3digo arbitrario en un agente Bamboo disponible. Por defecto, un agente local est\u00e1 habilitado."
}
],
"id": "CVE-2017-8907",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2017-06-14T20:29:00.140",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99090"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-20 10:15
Modified
2025-03-13 16:15
Severity ?
Summary
This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17
Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was reported via our Bug Bounty program.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667 | Issue Tracking, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-25858 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5EC3F5F-AFF0-4FAD-AFC9-4BE967319F82",
"versionEndExcluding": "9.2.17",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52F810C2-8E16-4B1A-B426-54CE82067349",
"versionEndExcluding": "9.6.5",
"versionStartIncluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689\u00a0 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17\r\n\r\n Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) de alta gravedad, CVE-2024-21689, se introdujo en las versiones 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 y 9.6.0 de Bamboo Data Center and Server. Esta vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE), con una puntuaci\u00f3n CVSS de 7,6, permite a un atacante autenticado ejecutar c\u00f3digo arbitrario que tiene un alto impacto en la confidencialidad, la integridad y la disponibilidad, y requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Bamboo Data Center and Server actualicen a la \u00faltima versi\u00f3n. Si no puede hacerlo, actualice su instancia a una de las versiones corregidas compatibles especificadas: Bamboo Data Center and Server 9.2: actualice a una versi\u00f3n mayor o igual a 9.2.17 Bamboo Data Center and Server 9.6: actualice a una versi\u00f3n mayor o igual a 9.6.5 Consulte las notas de la versi\u00f3n ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). Puede descargar la \u00faltima versi\u00f3n de Bamboo Data Center and Server desde el centro de descargas ([https://www.atlassian.com/software/bamboo/download-archives]). Esta vulnerabilidad se inform\u00f3 a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2024-21689",
"lastModified": "2025-03-13T16:15:17.273",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-20T10:15:04.103",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25858"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103071 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19662 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103071 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19662 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17B08059-ED44-4125-9AA6-0C8C42B1E21E",
"versionEndExcluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
},
{
"lang": "es",
"value": "El recurso viewDeploymentVersionJiraIssuesDialog en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versi\u00f3n."
}
],
"id": "CVE-2017-18041",
"lastModified": "2024-11-21T03:19:13.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.937",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-21 18:15
Modified
2024-11-21 07:44
Severity ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BD39D93-971A-4C82-9090-E502D250851A",
"versionEndExcluding": "9.2.7",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "191F8EA5-2812-4A23-98AB-28C4843CDE15",
"versionEndExcluding": "9.3.4",
"versionStartIncluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.\r\n JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)\r\n\r\n Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was discovered by a private user and reported via our Bug Bounty program"
},
{
"lang": "es",
"value": "Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo) de alta gravedad se introdujo en las versiones 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0 y 9.3.0 de Bamboo Data Center and Server. Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo), con una puntuaci\u00f3n CVSS de 8.5, permite a un atacante autenticado ejecutar c\u00f3digo arbitrario que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Bamboo Data Center and Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: Bamboo Data Center and Server 9.2: actualice a una versi\u00f3n superior o igual a 9.2.7. Se debe utilizar JDK 1.8u121+ en caso de que se utilice Java 8 para ejecutar Bamboo Data Center and Server. Consulte las notas de actualizaci\u00f3n de Bamboo 9.2 (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html) Bamboo Data Center and Server 9.3: actualice a una versi\u00f3n superior o igual a 9.3. 4 Consulte las notas de la versi\u00f3n ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). Puede descargar la \u00faltima versi\u00f3n de Bamboo Data Center and Server desde el centro de descargas ([https://www.atlassian.com/software/bamboo/download-archives]). Esta vulnerabilidad fue descubierta por un usuario privado y reportada a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2023-22516",
"lastModified": "2024-11-21T07:44:58.067",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-21T18:15:07.910",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25168"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-20 18:15
Modified
2024-11-21 06:53
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "218C960A-04C6-4242-BEBA-C81CF5F1F722",
"versionEndExcluding": "7.2.10",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E360CDE0-FD1E-4337-8268-DB89CF605EE0",
"versionEndExcluding": "8.0.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0913EE0-2046-4E7E-966D-DC894E34D12B",
"versionEndExcluding": "8.1.8",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D182C1B1-A5FF-4777-9835-4E9114BB68DC",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCD53E4-3169-4E8A-88D1-38BE51D09DD3",
"versionEndExcluding": "7.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B878E40-95A7-40A7-9C52-6BC0C2FD3F54",
"versionEndExcluding": "7.17.8",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46305D5A-7F7B-4A04-9DAD-E582D1193A7E",
"versionEndExcluding": "7.19.5",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A96B135B-9272-457E-A557-6566554262D3",
"versionEndExcluding": "7.20.2",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62956861-BEDE-40C8-B628-C831087E7BDB",
"versionEndExcluding": "7.21.2",
"versionStartIncluding": "7.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7A85565F-3F80-4E00-A706-AB4B2EAA4AFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99E2E3C0-CDF0-4D79-80A6-85E71B947ED9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C543CA6-8E8A-476C-AB27-614DF4EC68A5",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45FD913B-45DE-4CA8-9733-D62F54B19E74",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12E753EB-0D31-448B-B8DE-0A95434CC97C",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE114494-74F0-454C-AAC4-8B8E5F1C67D0",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90BB3572-29ED-415F-AD34-00EB76271F9C",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EF756A-B4E9-4E5D-BE6F-02CE95F12C9C",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A56B6A10-E23F-49EF-8C07-1AEDFCAE2788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8BE634-1599-4790-9410-6CA43BC60C4D",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52E68DFD-48F5-4949-AFEA-3829CA5DFC04",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCDEC6C-4515-4CAA-9D82-7BF68A3AAE7E",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9948F94-DF67-4E3C-8CD4-417D57FBC60F",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30E63ECB-85A8-4D41-A9B5-9FFF18D9CDB1",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "694171BD-FAE2-472C-8183-04BCA2F7B9A7",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC5E81B-DA4B-45E7-9584-4B576E49FD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE028964-B3FC-4883-9967-68DE46EE7F6F",
"versionEndExcluding": "4.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57DC9E2A-4C89-420D-9330-F11E56BF2F83",
"versionEndExcluding": "4.4.2",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C50A718F-C67B-4462-BB7E-F80408DEF07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92329A2E-13E8-4818-85AB-3E7F479411EF",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DDE751-CA88-4CFB-9E60-4243851B4B53",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91B8507-A7A7-4B74-9999-F1DEA9F487A9",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963AE427-2897-42CB-AE11-654D700E690B",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CD8891-BB97-4AD3-BEE4-6CCA0D8A2D85",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E73A5202-6114-48E6-8F9B-C03B2E707055",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22AB11D-1D73-45DC-803C-146EFED18CDA",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2091E9-0B14-4786-852F-454C56D20839",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "1451C219-8AAA-4165-AE2C-033EF7B6F93A",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*",
"matchCriteriaId": "BD23F987-0F14-4938-BB51-4EE61C24EB62",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "39F77953-41D7-4398-9F07-2A057A993762",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "CADBE0E7-36D9-4F6F-BEE6-A1E0B9428C2A",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "DC0DB08B-2034-4691-A7B2-3E5F8B6318B1",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "97A17BE7-7CCC-46D8-A317-53E2B026DF6E",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en varios productos de Atlassian permite a un atacante remoto no autenticado omitir los filtros Servlet usados por aplicaciones de primera y tercera parte. El impacto depende de los filtros usados por cada aplicaci\u00f3n y de c\u00f3mo son usados los filtros. Esta vulnerabilidad puede resultar en una omisi\u00f3n de la autenticaci\u00f3n y un ataque de tipo cross-site scripting. Atlassian ha publicado actualizaciones que corrigen la causa principal de esta vulnerabilidad, pero no ha enumerado exhaustivamente todas las consecuencias potenciales de esta vulnerabilidad. Est\u00e1n afectadas las versiones de Atlassian Bamboo anteriores a 8.0.9, desde 8.1.0 hasta 8.1.8, y desde la 8.2.0 hasta 8.2.4. Las versiones de Atlassian Bitbucket est\u00e1n afectadas anteriores a 7.6.16, desde la 7.7.0 anteriores a 7.17.8, desde la 7.18.0 anteriores a 7.19.5, desde la 7.20.0 anteriores a 7.20.2, desde la 7.21.0 anteriores a 7.21.2, y las versiones 8.0.0 y 8.1.0. Est\u00e1n afectadas las versiones de Atlassian Confluence anteriores a 7.4.17, desde la 7.5.0 anteriores a 7.13.7, desde la 7.14.0 anteriores a 7.14.3, desde la 7.15.0 anteriores a 7.15.2, desde la 7.16.0 anteriores a 7.16.4, desde la 7.17.0 anteriores a 7.17.4 y la versi\u00f3n 7.21.0. Est\u00e1n afectadas las versiones de Atlassian Crowd anteriores a 4.3.8, desde la 4.4.0 hasta 4.4.2, y la versi\u00f3n 5.0.0. Est\u00e1n afectadas las versiones de Atlassian Fisheye y Crucible anteriores a 4.8.10. Est\u00e1n afectadas las versiones de Atlassian Jira anteriores a 8.13.22, desde la 8.14.0 hasta 8.20.10, y desde la 8.21.0 hasta 8.22.4. Las versiones de Atlassian Jira Service Management est\u00e1n afectadas anteriores a 4.13.22, desde la 4.14.0 anteriores a 4.20.10, y desde la 4.21.0 anteriores a 4.22.4"
}
],
"id": "CVE-2022-26136",
"lastModified": "2024-11-21T06:53:30.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-20T18:15:08.487",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-180"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-08-02 16:59
Modified
2025-04-12 10:46
Severity ?
Summary
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F46F9B89-7DCF-4DE1-8EE6-BC25F5E09AE7",
"versionEndIncluding": "5.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0FA3E09-85DE-48CA-AEC8-ECC5FAA53A5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B16FA0-4131-4C34-AEC8-69F1336FC496",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E2EBFD-D17C-4539-93D6-5542FC81BD88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization."
},
{
"lang": "es",
"value": "Atlassian Bamboo en versiones anteriores a 5.11.4.1 y 5.12.x en versiones anteriores a 5.12.3.1 no restringe adecuadamente clases deserializadas permitidas, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores relacionados con XStream Serialization."
}
],
"id": "CVE-2016-5229",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-08-02T16:59:02.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-13 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102188 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-18842 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102188 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-18842 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45F6525F-033C-4BD3-85D4-0770A2177A6D",
"versionEndExcluding": "6.1.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF607C7-BC76-4660-B9F6-C8D56D19BE20",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
},
{
"lang": "es",
"value": "Era posible que ocurriese una evaluaci\u00f3n doble de OGNL en las plantillas de FreeMarker con etiquetas Struts FreeMarker. Un atacante que cuente con derechos restringidos de administraci\u00f3n en Bamboo o que aloje un sitio web que visite un administrador de Bamboo es capaz de explotar esta vulnerabilidad para ejecutar el c\u00f3digo Java que elija en sistemas que ejecuten una versi\u00f3n vulnerable de Bamboo. Todas las versiones de Bamboo anteriores a la 6.1.6 (la versi\u00f3n corregida para 6.1.x) y desde la 6.2.0 anteriores a la 6.2.5 (la versi\u00f3n corregida para 6.2.x) se han visto afectadas por esta vulnerabilidad."
}
],
"id": "CVE-2017-14589",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-13T15:29:00.217",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103087 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19665 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103087 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19665 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E848FD-F297-4BA3-A186-F1C8494373CA",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie."
},
{
"lang": "es",
"value": "El recurso signupUser en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el valor de la cookie del token csrf."
}
],
"id": "CVE-2017-18081",
"lastModified": "2024-11-21T03:19:19.293",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:01.137",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103087"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-28 02:15
Modified
2024-11-21 05:55
Severity ?
Summary
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-21215 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-21215 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC678268-C957-400D-A333-180253DD2FA4",
"versionEndExcluding": "7.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Bamboo permiten a un atacante remoto no autenticado visualizar un seguimiento de la pila que puede revelar la ruta del directorio de inicio en el disco y si determinados archivos existen en el directorio tmp, por medio de una vulnerabilidad de Exposici\u00f3n de Datos Confidenciales en el endpoint /chart.\u0026#xa0;Las versiones afectadas son las anteriores a la versi\u00f3n 7.2.2"
}
],
"id": "CVE-2021-26067",
"lastModified": "2024-11-21T05:55:48.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-28T02:15:12.557",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-29 13:29
Modified
2024-11-21 04:08
Severity ?
Summary
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103653 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/x/PS9sO | Mitigation, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19743 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103653 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/x/PS9sO | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19743 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11FF1812-D2C9-4F21-8CC5-5A32645D8A00",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A1254F4-D57B-4580-A886-9AF0360E347D",
"versionEndExcluding": "6.4.1",
"versionStartIncluding": "6.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability."
},
{
"lang": "es",
"value": "Bamboo no comprob\u00f3 correctamente si un URI de repositorio Mercurial configurado conten\u00eda valores que el sistema operativo de Windows podr\u00eda considerar como par\u00e1metros de argumento. Un atacante que tenga permiso para crear un repositorio en Bamboo, editar un plan existente en Bamboo que tenga un repositorio de Mercurial no enlazado o crear un plan en Bamboo de forma global o en un proyecto mediante Bamboo Specs puede ejecutar c\u00f3digo de su elecci\u00f3n en sistemas que ejecutan una versi\u00f3n vulnerable de Bamboo en el sistema operativo de Windows. Todas las versiones de Bamboo que comienzan por 2.7.0 anteriores a la 6.3.3 (la versi\u00f3n corregida para 6.3.x) y desde la 6.4.0 anteriores a la 6.4.1 (la versi\u00f3n corregida para 6.4.x) que se ejecutan en el sistema operativo Windows se han visto afectadas por esta vulnerabilidad."
}
],
"id": "CVE-2018-5224",
"lastModified": "2024-11-21T04:08:22.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-29T13:29:00.350",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"source": "security@atlassian.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-08 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2702AA86-6CD2-4B9F-9AD8-A151A6E95A43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2764BBDA-4FA2-4FFD-A126-823CB52D0D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42875600-4DA1-4574-9F9D-0FB8AE61DD10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3C79631B-6B9F-4FC0-9B12-17CD656A1CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2337D88-9821-4794-B0C8-6FA73BD158C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F087A2-790D-4D36-82F0-83C6BF504216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2162E45E-58ED-43B5-905F-C2E7475E0DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69BE15C9-542E-4586-8B05-BBE1508266E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8F7C6B-C6DF-4106-83FA-C8BCB2A0D02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3D461805-C648-420C-9352-64634DC06CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F995A4F3-EDB9-431C-864E-253EACB523A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B407F0C-D5CA-4D33-A124-CBEC74B5EF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1B608F-A264-4FFB-9250-311ECEC065E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5259D2D7-ABAE-4024-AA80-77D7F6A2AD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E42A908E-D53D-4A7A-917E-FB66C846CC55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41AEA85-6758-448C-B7AC-87E252380BBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F1728-FBE3-4FEF-8CA9-E613D5873FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5021430D-C84B-4F67-A490-A0D6C87B25D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "64083DE3-8072-4CAC-B374-5FF402E048A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A940B1E-3E73-4A3E-912B-BF482776CF5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DB6A4F7-4827-4965-8790-41A60AAD98C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA69F796-66AC-49BA-BF8C-348E6FDB2176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE5577-DFD8-42E7-A70A-3402D6386E79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA5C7C8-CDD5-4D22-A0B6-F7DEC87CDC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B19625B6-CDBE-485B-BAF1-53ABB770C7B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "866C3CB4-B8FE-4D22-B130-67139D193B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD2FA24-8D68-4F31-8F88-A0930A92591B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F3C3168-20E6-41D2-845B-5A661DCF6A21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BD0EAF-1C94-43A0-9133-9ADD8CAB8F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4074958-998F-4333-8C81-45D0A765FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5E5257-9004-4874-86A0-A3AB4230CE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F3A23-71C8-4F65-A739-26BAAF1D9620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2539517E-733A-427A-A0DA-F20E6C8A0A0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE47E00-3496-4E22-9BDC-7BAF77516249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B207B5EC-B2F2-4ED2-94B7-20CC15D542B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "70595742-7AB8-4A9D-94B4-8EADA093DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DD49DEBD-557F-4D65-9DA3-5A4CA0CB014C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE8039C-2F64-4056-AADC-66408FADB090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36190377-CD45-458D-A533-5D68FC38753F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2A7E6EF-CEF1-4A6A-8C1F-3BA2CF17D9B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DF4FF-4C86-4D9F-882C-96482F69F871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7760BAB-C6F3-40B4-8A65-0778C91B2481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D38BBD36-6F5F-44E4-8B74-A1F2E6E9ADE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "173874C7-0A68-447D-9284-6904BBBA8D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "124E0B33-9C58-4AC9-9064-EE9F29FA56CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89526493-E441-43A6-9C8B-FF16AFD9060F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1921815-49AD-474C-8898-614C2209CAEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0761166B-7FD9-4574-8C13-0336343ADC46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B13D9DB-83A0-42AE-A665-214A71890ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF901B9B-49DE-4676-8245-E280CF5A7EFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1D8D9B-E39E-4E77-831E-1D417ACEA5C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "951E6F5B-C905-40F2-B164-647A3E948EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B408EA00-A128-4927-BFBB-AF0B42EABA56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6E80ED-818F-4438-BD2A-AD4847178ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0876B2-B95C-464B-9479-CEAA9A64E01A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ABFD011B-EC46-4BFC-AAAB-ABE6612B85E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DCAE8C05-486F-4EC5-B084-2D55331C5EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D58EB432-8BFF-4CEC-B46C-695E77E2435C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "103A0455-79B1-4135-9384-C673A2459AEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port."
},
{
"lang": "es",
"value": "Un recurso no especificado en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de datos serializados al puerto JMS."
}
],
"id": "CVE-2015-8360",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-08T19:59:03.563",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-16 21:15
Modified
2025-03-14 16:15
Severity ?
Summary
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server.
This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE
See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).
This vulnerability was reported via our Bug Bounty program.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69A262E8-0C7E-4587-80DB-AEB806FDBB36",
"versionEndIncluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E98284-0236-4BBE-9156-42BF39807DC2",
"versionEndIncluding": "9.1.3",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "858999DA-5F02-4F34-9776-C17BC35394AC",
"versionEndExcluding": "9.2.16",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0323B84C-7B7B-4FD2-A69B-8B0476543E32",
"versionEndIncluding": "9.3.6",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7848670-8093-4AD5-940F-33CCA7B085D6",
"versionEndIncluding": "9.4.3",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F092DC7A-32B5-4B7C-819B-A7C05D25174C",
"versionEndIncluding": "9.5.4",
"versionStartIncluding": "9.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44EB1487-771C-479E-B986-7F1B582B1FB1",
"versionEndExcluding": "9.6.4",
"versionStartIncluding": "9.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server.\n\nThis File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.\n\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE\n\nSee the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).\n\nThis vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de inclusi\u00f3n de archivos de alta gravedad se introdujo en las versiones 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 y 9.6.0 de Bamboo Data Center and Server. Esta vulnerabilidad de inclusi\u00f3n de archivos, con una puntuaci\u00f3n CVSS de 8,1, permite a un atacante autenticado hacer que la aplicaci\u00f3n muestre el contenido de un archivo local o ejecutar archivos diferentes ya almacenados localmente en el servidor, lo que tiene un alto impacto en la confidencialidad y un alto impacto en la integridad de la privacidad, no afecta la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Bamboo Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones correctoras admitidas especificadas que se enumeran en este CVE. Consulte las notas de la versi\u00f3n (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). Puede descargar la \u00faltima versi\u00f3n de Bamboo Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/bamboo/download-archives). Esta vulnerabilidad se inform\u00f3 a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2024-21687",
"lastModified": "2025-03-14T16:15:28.963",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-16T21:15:10.257",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25822"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-98"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19666 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19666 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CB48F4C-78DE-4BD7-988D-6D83286CA99F",
"versionEndExcluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch."
},
{
"lang": "es",
"value": "El recurso de ramas de configuraci\u00f3n de plan en Atlassian Bamboo, en versiones anteriores a la 6.2.3, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una rama."
}
],
"id": "CVE-2017-18082",
"lastModified": "2024-11-21T03:19:19.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:01.217",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-26137 (GCVE-0-2022-26137)
Vulnerability from cvelistv5
Published
2022-07-20 17:25
Modified
2024-10-03 17:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize ()
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Atlassian | Bamboo Server |
Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.1",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:48:52.174175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:10:16.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:23",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26137",
"datePublished": "2022-07-20T17:25:23.603830Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T17:10:16.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9514 (GCVE-0-2017-9514)
Vulnerability from cvelistv5
Published
2017-10-12 13:00
Modified
2024-08-05 17:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote Code Execution
Summary
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"name": "101269",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "from 6.0.0 before 6.0.5"
},
{
"status": "affected",
"version": "from 6.1.0 before 6.1.4"
},
{
"status": "affected",
"version": "from 6.2.0 before 6.2.1"
}
]
}
],
"datePublic": "2017-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-17T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"name": "101269",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101269"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"ID": "CVE-2017-9514",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "from 6.0.0 before 6.0.5"
},
{
"version_value": "from 6.1.0 before 6.1.4"
},
{
"version_value": "from 6.2.0 before 6.2.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"name": "101269",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101269"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-9514",
"datePublished": "2017-10-12T13:00:00",
"dateReserved": "2017-06-07T00:00:00",
"dateUpdated": "2024-08-05T17:11:02.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2926 (GCVE-0-2012-2926)
Vulnerability from cvelistv5
Published
2012-05-22 15:00
Modified
2024-08-06 19:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:50:05.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/49146"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81993"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/49146"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81993"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2926",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/49146"
},
{
"name": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"name": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"refsource": "OSVDB",
"url": "http://osvdb.org/81993"
},
{
"name": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"name": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2926",
"datePublished": "2012-05-22T15:00:00",
"dateReserved": "2012-05-22T00:00:00",
"dateUpdated": "2024-08-06T19:50:05.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18081 (GCVE-0-2017-18081)
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 23:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting (XSS)
Summary
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"name": "103087",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.3.1"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"name": "103087",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103087"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18081",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19665",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"name": "103087",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103087"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18081",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T23:35:48.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26067 (GCVE-0-2021-26067)
Vulnerability from cvelistv5
Published
2021-01-28 01:45
Modified
2024-09-16 18:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Sensitive Data Exposure
Summary
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-01-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Data Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-28T01:45:16",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-01-23T00:00:00",
"ID": "CVE-2021-26067",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.2.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sensitive Data Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21215",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26067",
"datePublished": "2021-01-28T01:45:16.145818Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T18:34:10.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21687 (GCVE-0-2024-21687)
Vulnerability from cvelistv5
Published
2024-07-16 20:30
Modified
2025-03-14 16:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- File Inclusion
Summary
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server.
This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE
See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).
This vulnerability was reported via our Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Atlassian | Bamboo Data Center |
Version: 9.6.0 to 9.6.3 Version: 9.5.0 to 9.5.4 Version: 9.4.0 to 9.4.4 Version: 9.3.0 to 9.3.6 Version: 9.2.1 to 9.2.15 Version: 9.1.0 to 9.1.3 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "9.6.3",
"status": "affected",
"version": "9.6.0",
"versionType": "custom"
},
{
"lessThan": "9.5.4",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3.0",
"versionType": "custom"
},
{
"lessThan": "9.2.15",
"status": "affected",
"version": "9.2.1",
"versionType": "custom"
},
{
"lessThan": "9.1.3",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3.0",
"versionType": "custom"
},
{
"lessThan": "9.2.15",
"status": "affected",
"version": "9.2.1",
"versionType": "custom"
},
{
"lessThan": "9.1.3",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T15:18:28.986939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T16:02:45.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-25822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "9.6.0 to 9.6.3"
},
{
"status": "affected",
"version": "9.5.0 to 9.5.4"
},
{
"status": "affected",
"version": "9.4.0 to 9.4.4"
},
{
"status": "affected",
"version": "9.3.0 to 9.3.6"
},
{
"status": "affected",
"version": "9.2.1 to 9.2.15"
},
{
"status": "affected",
"version": "9.1.0 to 9.1.3"
},
{
"status": "unaffected",
"version": "9.6.4"
},
{
"status": "unaffected",
"version": "9.2.16"
}
]
},
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "9.4.0 to 9.4.4"
},
{
"status": "affected",
"version": "9.3.0 to 9.3.6"
},
{
"status": "affected",
"version": "9.2.1 to 9.2.15"
},
{
"status": "affected",
"version": "9.1.0 to 9.1.3"
},
{
"status": "unaffected",
"version": "9.2.16"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bug Bounty"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server.\n\nThis File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.\n\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE\n\nSee the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).\n\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Inclusion",
"lang": "en",
"type": "File Inclusion"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T20:30:00.385Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"url": "https://jira.atlassian.com/browse/BAM-25822"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21687",
"datePublished": "2024-07-16T20:30:00.385Z",
"dateReserved": "2024-01-01T00:05:33.847Z",
"dateUpdated": "2025-03-14T16:02:45.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14589 (GCVE-0-2017-14589)
Vulnerability from cvelistv5
Published
2017-12-13 15:00
Modified
2024-09-16 19:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote Code Execution
Summary
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:38.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"name": "102188",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "before 6.1.6 (the fixed version for 6.1.x)"
},
{
"status": "affected",
"version": "from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"name": "102188",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-14589",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "before 6.1.6 (the fixed version for 6.1.x)"
},
{
"version_value": "from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-18842",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"name": "102188",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102188"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-14589",
"datePublished": "2017-12-13T15:00:00Z",
"dateReserved": "2017-09-19T00:00:00",
"dateUpdated": "2024-09-16T19:10:55.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8361 (GCVE-0-2015-8361)
Vulnerability from cvelistv5
Published
2016-02-08 19:00
Modified
2024-08-06 08:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8361",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17102",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"name": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8361",
"datePublished": "2016-02-08T19:00:00",
"dateReserved": "2015-11-25T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18041 (GCVE-0-2017-18041)
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 19:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting (XSS)
Summary
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103071",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.2.0"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103071",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18041",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.2.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103071",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103071"
},
{
"name": "https://jira.atlassian.com/browse/BAM-19662",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18041",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-16T19:04:12.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18080 (GCVE-0-2017-18080)
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 20:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Request Forgery (CSRF)
Summary
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.3.1"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-02T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18080",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19664",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18080",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T20:47:51.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8360 (GCVE-0-2015-8360)
Vulnerability from cvelistv5
Published
2016-02-08 19:00
Modified
2024-08-06 08:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8360",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17101",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"name": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8360",
"datePublished": "2016-02-08T19:00:00",
"dateReserved": "2015-11-25T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8907 (GCVE-0-2017-8907)
Vulnerability from cvelistv5
Published
2017-06-14 20:00
Modified
2024-10-16 13:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Incorrect Permission Check
Summary
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Atlassian Bamboo |
Version: 5.0.0 <= version < 5.15.7 Version: 6.0.0 <= version < 6.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.661Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"name": "99090",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99090"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.11.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.13.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2017-8907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T13:40:30.708020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T13:45:59.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Atlassian Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0 \u003c= version \u003c 5.15.7"
},
{
"status": "affected",
"version": "6.0.0 \u003c= version \u003c 6.0.1"
}
]
}
],
"datePublic": "2017-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Permission Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-19T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"name": "99090",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"ID": "CVE-2017-8907",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Atlassian Bamboo",
"version": {
"version_data": [
{
"version_value": "5.0.0 \u003c= version \u003c 5.15.7"
},
{
"version_value": "6.0.0 \u003c= version \u003c 6.0.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Permission Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"name": "99090",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-8907",
"datePublished": "2017-06-14T20:00:00",
"dateReserved": "2017-05-12T00:00:00",
"dateUpdated": "2024-10-16T13:45:59.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18042 (GCVE-0-2017-18042)
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-17 00:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Request Forgery (CSRF)
Summary
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103110",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.3.1"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-23T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103110",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18042",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103110",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103110"
},
{
"name": "https://jira.atlassian.com/browse/BAM-19663",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18042",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-17T00:32:15.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18040 (GCVE-0-2017-18040)
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 20:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting (XSS)
Summary
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"name": "103070",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103070"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.2.0"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"name": "103070",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103070"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.2.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19661",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"name": "103070",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103070"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18040",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-16T20:16:51.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26136 (GCVE-0-2022-26136)
Vulnerability from cvelistv5
Published
2022-07-20 17:25
Modified
2024-10-03 16:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize ().
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Atlassian | Bamboo Server |
Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:26:49.090400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:43:16.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26136",
"datePublished": "2022-07-20T17:25:18.803466Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T16:43:16.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6576 (GCVE-0-2015-6576)
Vulnerability from cvelistv5
Published
2017-10-02 18:00
Modified
2024-08-06 07:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151023 CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151023 CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6576",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151023 CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"name": "https://confluence.atlassian.com/x/Hw7RLg",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"name": "https://jira.atlassian.com/browse/BAM-16439",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"name": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6576",
"datePublished": "2017-10-02T18:00:00",
"dateReserved": "2015-08-21T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-5229 (GCVE-0-2016-5229)
Vulnerability from cvelistv5
Published
2016-08-02 16:00
Modified
2024-08-06 00:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:53:48.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160726 July 2016 - Bamboo Server - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"name": "92057",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160726 July 2016 - Bamboo Server - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"name": "92057",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-5229",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160726 July 2016 - Bamboo Server - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"name": "92057",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92057"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17736",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-5229",
"datePublished": "2016-08-02T16:00:00",
"dateReserved": "2016-06-01T00:00:00",
"dateUpdated": "2024-08-06T00:53:48.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21689 (GCVE-0-2024-21689)
Vulnerability from cvelistv5
Published
2024-08-20 10:00
Modified
2025-03-13 15:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- RCE (Remote Code Execution)
Summary
This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17
Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was reported via our Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Atlassian | Bamboo Data Center |
Version: 9.6.0 to 9.6.4 Version: 9.5.0 to 9.5.4 Version: 9.4.0 to 9.4.4 Version: 9.3.0 to 9.3.6 Version: 9.2.1 to 9.2.16 Version: 9.1.0 to 9.1.3 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "9.6.4",
"status": "affected",
"version": "9.6.0",
"versionType": "custom"
},
{
"lessThan": "9.5.4",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3.0",
"versionType": "custom"
},
{
"lessThan": "9.2.16",
"status": "affected",
"version": "9.2.1",
"versionType": "custom"
},
{
"lessThan": "9.1.3",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.6.5"
},
{
"status": "unaffected",
"version": "9.2.17"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "9.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3.0",
"versionType": "custom"
},
{
"lessThan": "9.2.16",
"status": "affected",
"version": "9.2.1",
"versionType": "custom"
},
{
"lessThan": "9.1.3",
"status": "affected",
"version": "9.1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.17"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T03:55:20.295438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T15:46:54.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "9.6.0 to 9.6.4"
},
{
"status": "affected",
"version": "9.5.0 to 9.5.4"
},
{
"status": "affected",
"version": "9.4.0 to 9.4.4"
},
{
"status": "affected",
"version": "9.3.0 to 9.3.6"
},
{
"status": "affected",
"version": "9.2.1 to 9.2.16"
},
{
"status": "affected",
"version": "9.1.0 to 9.1.3"
},
{
"status": "unaffected",
"version": "9.6.5"
},
{
"status": "unaffected",
"version": "9.2.17"
}
]
},
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "9.4.0 to 9.4.4"
},
{
"status": "affected",
"version": "9.3.0 to 9.3.6"
},
{
"status": "affected",
"version": "9.2.1 to 9.2.16"
},
{
"status": "affected",
"version": "9.1.0 to 9.1.3"
},
{
"status": "unaffected",
"version": "9.2.17"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bug Bounty"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689\u00a0 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17\r\n\r\n Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T10:00:00.967Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667"
},
{
"url": "https://jira.atlassian.com/browse/BAM-25858"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21689",
"datePublished": "2024-08-20T10:00:00.967Z",
"dateReserved": "2024-01-01T00:05:33.847Z",
"dateUpdated": "2025-03-13T15:46:54.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15005 (GCVE-0-2019-15005)
Vulnerability from cvelistv5
Published
2019-11-08 03:55
Modified
2024-09-16 20:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Authorization
Summary
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ► | Atlassian | Bitbucket Server |
Version: unspecified < 6.6.0 |
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Crowd",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "3.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-14T20:44:03",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-11-08T00:00:00",
"ID": "CVE-2019-15005",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.6.0"
}
]
}
},
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.0.1"
}
]
}
},
{
"product_name": "Crowd",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.6.0"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-20647",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"name": "https://herolab.usd.de/security-advisories/usd-2019-0016/",
"refsource": "MISC",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15005",
"datePublished": "2019-11-08T03:55:12.611106Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T20:31:42.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9757 (GCVE-0-2014-9757)
Vulnerability from cvelistv5
Published
2016-02-08 19:00
Modified
2024-08-06 13:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9757",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17099",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"name": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9757",
"datePublished": "2016-02-08T19:00:00",
"dateReserved": "2015-11-25T00:00:00",
"dateUpdated": "2024-08-06T13:55:04.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5224 (GCVE-0-2018-5224)
Vulnerability from cvelistv5
Published
2018-03-29 13:00
Modified
2024-09-16 18:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Argument Injection
Summary
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:26:46.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103653",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.7.1",
"versionType": "custom"
},
{
"lessThan": "6.3.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-03-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Argument Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-05T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103653",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-03-28T00:00:00",
"ID": "CVE-2018-5224",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.7.1"
},
{
"version_affected": "\u003c",
"version_value": "6.3.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Argument Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103653",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103653"
},
{
"name": "https://jira.atlassian.com/browse/BAM-19743",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"name": "https://confluence.atlassian.com/x/PS9sO",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/x/PS9sO"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-5224",
"datePublished": "2018-03-29T13:00:00Z",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-09-16T18:04:23.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14590 (GCVE-0-2017-14590)
Vulnerability from cvelistv5
Published
2017-12-13 15:00
Modified
2024-09-16 22:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote Code Execution
Summary
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:39.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"name": "102193",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "from 2.7.0 before 6.1.6 (the fixed version for 6.1.x)"
},
{
"status": "affected",
"version": "from 6.2.0 before 6.2.5"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"name": "102193",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-14590",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "from 2.7.0 before 6.1.6 (the fixed version for 6.1.x)"
},
{
"version_value": "from 6.2.0 before 6.2.5"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-18843",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"name": "102193",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102193"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-14590",
"datePublished": "2017-12-13T15:00:00Z",
"dateReserved": "2017-09-19T00:00:00",
"dateUpdated": "2024-09-16T22:50:26.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18082 (GCVE-0-2017-18082)
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 18:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting (XSS)
Summary
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:47.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.2.3"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-02T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18082",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.2.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19666",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18082",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T18:38:32.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22516 (GCVE-0-2023-22516)
Vulnerability from cvelistv5
Published
2023-11-21 18:00
Modified
2024-10-21 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- RCE (Remote Code Execution)
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Atlassian | Bamboo Data Center |
Version: >= 8.1.0 Version: >= 8.1.1 Version: >= 8.1.10 Version: >= 8.1.11 Version: >= 8.1.12 Version: >= 8.1.2 Version: >= 8.1.3 Version: >= 8.1.4 Version: >= 8.1.5 Version: >= 8.1.6 Version: >= 8.1.7 Version: >= 8.1.9 Version: >= 8.2.0 Version: >= 8.2.1 Version: >= 8.2.2 Version: >= 8.2.3 Version: >= 8.2.4 Version: >= 8.2.5 Version: >= 8.2.6 Version: >= 8.2.7 Version: >= 8.2.8 Version: >= 8.2.9 Version: >= 9.0.0 Version: >= 9.0.1 Version: >= 9.0.2 Version: >= 9.0.3 Version: >= 9.1.0 Version: >= 9.1.1 Version: >= 9.1.2 Version: >= 9.1.3 Version: >= 9.2.1 Version: >= 9.2.3 Version: >= 9.2.4 Version: >= 9.2.5 Version: >= 9.2.6 Version: >= 9.3.0 Version: >= 9.3.1 Version: >= 9.3.2 Version: >= 9.3.3 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-25168"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:23.698292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T14:08:32.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.1"
},
{
"status": "affected",
"version": "\u003e= 8.1.10"
},
{
"status": "affected",
"version": "\u003e= 8.1.11"
},
{
"status": "affected",
"version": "\u003e= 8.1.12"
},
{
"status": "affected",
"version": "\u003e= 8.1.2"
},
{
"status": "affected",
"version": "\u003e= 8.1.3"
},
{
"status": "affected",
"version": "\u003e= 8.1.4"
},
{
"status": "affected",
"version": "\u003e= 8.1.5"
},
{
"status": "affected",
"version": "\u003e= 8.1.6"
},
{
"status": "affected",
"version": "\u003e= 8.1.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.9"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.1"
},
{
"status": "affected",
"version": "\u003e= 8.2.2"
},
{
"status": "affected",
"version": "\u003e= 8.2.3"
},
{
"status": "affected",
"version": "\u003e= 8.2.4"
},
{
"status": "affected",
"version": "\u003e= 8.2.5"
},
{
"status": "affected",
"version": "\u003e= 8.2.6"
},
{
"status": "affected",
"version": "\u003e= 8.2.7"
},
{
"status": "affected",
"version": "\u003e= 8.2.8"
},
{
"status": "affected",
"version": "\u003e= 8.2.9"
},
{
"status": "affected",
"version": "\u003e= 9.0.0"
},
{
"status": "affected",
"version": "\u003e= 9.0.1"
},
{
"status": "affected",
"version": "\u003e= 9.0.2"
},
{
"status": "affected",
"version": "\u003e= 9.0.3"
},
{
"status": "affected",
"version": "\u003e= 9.1.0"
},
{
"status": "affected",
"version": "\u003e= 9.1.1"
},
{
"status": "affected",
"version": "\u003e= 9.1.2"
},
{
"status": "affected",
"version": "\u003e= 9.1.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.1"
},
{
"status": "affected",
"version": "\u003e= 9.2.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.4"
},
{
"status": "affected",
"version": "\u003e= 9.2.5"
},
{
"status": "affected",
"version": "\u003e= 9.2.6"
},
{
"status": "affected",
"version": "\u003e= 9.3.0"
},
{
"status": "affected",
"version": "\u003e= 9.3.1"
},
{
"status": "affected",
"version": "\u003e= 9.3.2"
},
{
"status": "affected",
"version": "\u003e= 9.3.3"
},
{
"status": "unaffected",
"version": "\u003e= 9.2.7"
},
{
"status": "unaffected",
"version": "\u003e= 9.3.4"
}
]
},
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.1"
},
{
"status": "affected",
"version": "\u003e= 8.1.10"
},
{
"status": "affected",
"version": "\u003e= 8.1.11"
},
{
"status": "affected",
"version": "\u003e= 8.1.12"
},
{
"status": "affected",
"version": "\u003e= 8.1.2"
},
{
"status": "affected",
"version": "\u003e= 8.1.3"
},
{
"status": "affected",
"version": "\u003e= 8.1.4"
},
{
"status": "affected",
"version": "\u003e= 8.1.5"
},
{
"status": "affected",
"version": "\u003e= 8.1.6"
},
{
"status": "affected",
"version": "\u003e= 8.1.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.9"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.1"
},
{
"status": "affected",
"version": "\u003e= 8.2.2"
},
{
"status": "affected",
"version": "\u003e= 8.2.3"
},
{
"status": "affected",
"version": "\u003e= 8.2.4"
},
{
"status": "affected",
"version": "\u003e= 8.2.5"
},
{
"status": "affected",
"version": "\u003e= 8.2.6"
},
{
"status": "affected",
"version": "\u003e= 8.2.7"
},
{
"status": "affected",
"version": "\u003e= 8.2.8"
},
{
"status": "affected",
"version": "\u003e= 8.2.9"
},
{
"status": "affected",
"version": "\u003e= 9.0.0"
},
{
"status": "affected",
"version": "\u003e= 9.0.1"
},
{
"status": "affected",
"version": "\u003e= 9.0.2"
},
{
"status": "affected",
"version": "\u003e= 9.0.3"
},
{
"status": "affected",
"version": "\u003e= 9.1.0"
},
{
"status": "affected",
"version": "\u003e= 9.1.1"
},
{
"status": "affected",
"version": "\u003e= 9.1.2"
},
{
"status": "affected",
"version": "\u003e= 9.1.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.1"
},
{
"status": "affected",
"version": "\u003e= 9.2.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.4"
},
{
"status": "affected",
"version": "\u003e= 9.2.5"
},
{
"status": "affected",
"version": "\u003e= 9.2.6"
},
{
"status": "affected",
"version": "\u003e= 9.3.0"
},
{
"status": "affected",
"version": "\u003e= 9.3.1"
},
{
"status": "affected",
"version": "\u003e= 9.3.2"
},
{
"status": "affected",
"version": "\u003e= 9.3.3"
},
{
"status": "unaffected",
"version": "\u003e= 9.2.7"
},
{
"status": "unaffected",
"version": "\u003e= 9.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "a private user"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.\r\n JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)\r\n\r\n Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was discovered by a private user and reported via our Bug Bounty program"
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T18:00:00.752Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"url": "https://jira.atlassian.com/browse/BAM-25168"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22516",
"datePublished": "2023-11-21T18:00:00.752Z",
"dateReserved": "2023-01-01T00:01:22.332Z",
"dateUpdated": "2024-10-21T14:08:32.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}