CVE-2017-8907

Published Jun 14, 2017

Last updated 6 months ago

CVSS high 8.8

Overview

Description: Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
Source: security@atlassian.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 3.0

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.5
Impact score: 6.4
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-863
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-863

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.11.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FA0783B9-8610-4710-B0D6-50220D72231A"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E0FA3E09-85DE-48CA-AEC8-ECC5FAA53A5E"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D6B16FA0-4131-4C34-AEC8-69F1336FC496"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C8E2EBFD-D17C-4539-93D6-5542FC81BD88"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.12.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "34040BD5-D443-474E-9AD8-6CD4B2F1F31D"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.12.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0FDCCD33-4DB2-4907-A122-D1EE0B41AAC2"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.13.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9EBC89FA-A835-45A8-B37A-90ED9134F7D4"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.13.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "30879C5B-3AC0-46B4-81F5-186ED881840F"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.13.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "49E6287B-03F0-443A-ADCB-D93ED072409C"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.14.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B857798E-7088-40D3-A6EF-9F1D674A7DDE"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.14.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1A330DDD-E507-42C4-B458-F9825059AF53"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.14.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB54ED38-ABD5-4979-BDB8-0461BA4FE904"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.14.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07E21495-A028-4F71-B21C-FBADF3BA8543"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.14.4.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "493B321D-0034-4AED-8270-3055470BFA77"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.14.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DBFD20A5-B693-4801-9662-79FD68D26FDA"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.15.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "888DEC36-D4F3-403B-A2F8-83B3AF307934"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.15.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "87A11F1D-704A-4FE8-98A6-F1880E20B8A7"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.15.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7CB66A4E-79FD-4793-9218-65A3472ED517"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.15.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D505A45B-431C-4C5A-B6FC-96C32D31FB33"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:5.15.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E03895CD-67B9-4F3C-A4C5-9DBED3AF3014"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bamboo:6.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1DACC3EE-5898-457C-B9FE-DCBA2634DE4F"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References