CVE-2017-8907
Description
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| atlassian | bamboo | 5.0 | |
| atlassian | bamboo | 5.0.1 | |
| atlassian | bamboo | 5.1 | |
| atlassian | bamboo | 5.1.1 | |
| atlassian | bamboo | 5.2 | |
| atlassian | bamboo | 5.2.1 | |
| atlassian | bamboo | 5.2.2 | |
| atlassian | bamboo | 5.3 | |
| atlassian | bamboo | 5.4 | |
| atlassian | bamboo | 5.4.1 | |
| atlassian | bamboo | 5.4.2 | |
| atlassian | bamboo | 5.5 | |
| atlassian | bamboo | 5.6 | |
| atlassian | bamboo | 5.6.1 | |
| atlassian | bamboo | 5.6.2 | |
| atlassian | bamboo | 5.7 | |
| atlassian | bamboo | 5.7.1 | |
| atlassian | bamboo | 5.7.2 | |
| atlassian | bamboo | 5.8 | |
| atlassian | bamboo | 5.8.1 | |
| atlassian | bamboo | 5.8.2 | |
| atlassian | bamboo | 5.8.5 | |
| atlassian | bamboo | 5.9 | |
| atlassian | bamboo | 5.9.1 | |
| atlassian | bamboo | 5.9.2 | |
| atlassian | bamboo | 5.9.3 | |
| atlassian | bamboo | 5.9.4 | |
| atlassian | bamboo | 5.9.7 | |
| atlassian | bamboo | 5.11.3 | |
| atlassian | bamboo | 5.12.0 | |
| atlassian | bamboo | 5.12.1 | |
| atlassian | bamboo | 5.12.2 | |
| atlassian | bamboo | 5.12.4 | |
| atlassian | bamboo | 5.12.5 | |
| atlassian | bamboo | 5.13.0 | |
| atlassian | bamboo | 5.13.1 | |
| atlassian | bamboo | 5.13.2 | |
| atlassian | bamboo | 5.14.0 | |
| atlassian | bamboo | 5.14.1 | |
| atlassian | bamboo | 5.14.2 | |
| atlassian | bamboo | 5.14.3 | |
| atlassian | bamboo | 5.14.4.1 | |
| atlassian | bamboo | 5.14.5 | |
| atlassian | bamboo | 5.15.0 | |
| atlassian | bamboo | 5.15.2 | |
| atlassian | bamboo | 5.15.3 | |
| atlassian | bamboo | 5.15.4 | |
| atlassian | bamboo | 5.15.5 | |
| atlassian | bamboo | 6.0.0 | |
References
CWEs
CWE-863
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.