All the vulnerabilites related to atlassian - bamboo
cve-2015-8360
Vulnerability from cvelistv5
Published
2016-02-08 19:00
Modified
2024-08-06 08:13
Severity ?
EPSS score ?
Summary
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/537347/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://jira.atlassian.com/browse/BAM-17101 | x_refsource_CONFIRM | |
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8360",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17101",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"name": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8360",
"datePublished": "2016-02-08T19:00:00",
"dateReserved": "2015-11-25T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15005
Vulnerability from cvelistv5
Published
2019-11-08 03:55
Modified
2024-09-16 20:31
Severity ?
EPSS score ?
Summary
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-20647 | x_refsource_MISC | |
| https://herolab.usd.de/security-advisories/usd-2019-0016/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bitbucket Server |
Version: unspecified < 6.6.0 |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Crowd",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "3.6.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-14T20:44:03",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-11-08T00:00:00",
"ID": "CVE-2019-15005",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.6.0"
}
]
}
},
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.3.2"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.0.1"
}
]
}
},
{
"product_name": "Crowd",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.6.0"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-20647",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"name": "https://herolab.usd.de/security-advisories/usd-2019-0016/",
"refsource": "MISC",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15005",
"datePublished": "2019-11-08T03:55:12.611106Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T20:31:42.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-8907
Vulnerability from cvelistv5
Published
2017-06-14 20:00
Modified
2024-10-16 13:45
Severity ?
EPSS score ?
Summary
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
References
| ▼ | URL | Tags |
|---|---|---|
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/99090 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Atlassian | Atlassian Bamboo |
Version: 5.0.0 <= version < 5.15.7 Version: 6.0.0 <= version < 6.0.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.661Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"name": "99090",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99090"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.11.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.12.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.13.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.14.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.15.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2017-8907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T13:40:30.708020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T13:45:59.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Atlassian Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0 \u003c= version \u003c 5.15.7"
},
{
"status": "affected",
"version": "6.0.0 \u003c= version \u003c 6.0.1"
}
]
}
],
"datePublic": "2017-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Permission Check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-19T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"name": "99090",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"ID": "CVE-2017-8907",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Atlassian Bamboo",
"version": {
"version_data": [
{
"version_value": "5.0.0 \u003c= version \u003c 5.15.7"
},
{
"version_value": "6.0.0 \u003c= version \u003c 6.0.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Permission Check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"name": "99090",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-8907",
"datePublished": "2017-06-14T20:00:00",
"dateReserved": "2017-05-12T00:00:00",
"dateUpdated": "2024-10-16T13:45:59.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18041
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 19:04
Severity ?
EPSS score ?
Summary
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/103071 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/BAM-19662 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103071",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.2.0"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103071",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18041",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.2.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103071",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103071"
},
{
"name": "https://jira.atlassian.com/browse/BAM-19662",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18041",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-16T19:04:12.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22516
Vulnerability from cvelistv5
Published
2023-11-21 18:00
Modified
2024-10-21 14:08
Severity ?
EPSS score ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Data Center |
Version: >= 8.1.0 Version: >= 8.1.1 Version: >= 8.1.10 Version: >= 8.1.11 Version: >= 8.1.12 Version: >= 8.1.2 Version: >= 8.1.3 Version: >= 8.1.4 Version: >= 8.1.5 Version: >= 8.1.6 Version: >= 8.1.7 Version: >= 8.1.9 Version: >= 8.2.0 Version: >= 8.2.1 Version: >= 8.2.2 Version: >= 8.2.3 Version: >= 8.2.4 Version: >= 8.2.5 Version: >= 8.2.6 Version: >= 8.2.7 Version: >= 8.2.8 Version: >= 8.2.9 Version: >= 9.0.0 Version: >= 9.0.1 Version: >= 9.0.2 Version: >= 9.0.3 Version: >= 9.1.0 Version: >= 9.1.1 Version: >= 9.1.2 Version: >= 9.1.3 Version: >= 9.2.1 Version: >= 9.2.3 Version: >= 9.2.4 Version: >= 9.2.5 Version: >= 9.2.6 Version: >= 9.3.0 Version: >= 9.3.1 Version: >= 9.3.2 Version: >= 9.3.3 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-25168"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:23.698292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T14:08:32.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.1"
},
{
"status": "affected",
"version": "\u003e= 8.1.10"
},
{
"status": "affected",
"version": "\u003e= 8.1.11"
},
{
"status": "affected",
"version": "\u003e= 8.1.12"
},
{
"status": "affected",
"version": "\u003e= 8.1.2"
},
{
"status": "affected",
"version": "\u003e= 8.1.3"
},
{
"status": "affected",
"version": "\u003e= 8.1.4"
},
{
"status": "affected",
"version": "\u003e= 8.1.5"
},
{
"status": "affected",
"version": "\u003e= 8.1.6"
},
{
"status": "affected",
"version": "\u003e= 8.1.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.9"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.1"
},
{
"status": "affected",
"version": "\u003e= 8.2.2"
},
{
"status": "affected",
"version": "\u003e= 8.2.3"
},
{
"status": "affected",
"version": "\u003e= 8.2.4"
},
{
"status": "affected",
"version": "\u003e= 8.2.5"
},
{
"status": "affected",
"version": "\u003e= 8.2.6"
},
{
"status": "affected",
"version": "\u003e= 8.2.7"
},
{
"status": "affected",
"version": "\u003e= 8.2.8"
},
{
"status": "affected",
"version": "\u003e= 8.2.9"
},
{
"status": "affected",
"version": "\u003e= 9.0.0"
},
{
"status": "affected",
"version": "\u003e= 9.0.1"
},
{
"status": "affected",
"version": "\u003e= 9.0.2"
},
{
"status": "affected",
"version": "\u003e= 9.0.3"
},
{
"status": "affected",
"version": "\u003e= 9.1.0"
},
{
"status": "affected",
"version": "\u003e= 9.1.1"
},
{
"status": "affected",
"version": "\u003e= 9.1.2"
},
{
"status": "affected",
"version": "\u003e= 9.1.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.1"
},
{
"status": "affected",
"version": "\u003e= 9.2.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.4"
},
{
"status": "affected",
"version": "\u003e= 9.2.5"
},
{
"status": "affected",
"version": "\u003e= 9.2.6"
},
{
"status": "affected",
"version": "\u003e= 9.3.0"
},
{
"status": "affected",
"version": "\u003e= 9.3.1"
},
{
"status": "affected",
"version": "\u003e= 9.3.2"
},
{
"status": "affected",
"version": "\u003e= 9.3.3"
},
{
"status": "unaffected",
"version": "\u003e= 9.2.7"
},
{
"status": "unaffected",
"version": "\u003e= 9.3.4"
}
]
},
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.1"
},
{
"status": "affected",
"version": "\u003e= 8.1.10"
},
{
"status": "affected",
"version": "\u003e= 8.1.11"
},
{
"status": "affected",
"version": "\u003e= 8.1.12"
},
{
"status": "affected",
"version": "\u003e= 8.1.2"
},
{
"status": "affected",
"version": "\u003e= 8.1.3"
},
{
"status": "affected",
"version": "\u003e= 8.1.4"
},
{
"status": "affected",
"version": "\u003e= 8.1.5"
},
{
"status": "affected",
"version": "\u003e= 8.1.6"
},
{
"status": "affected",
"version": "\u003e= 8.1.7"
},
{
"status": "affected",
"version": "\u003e= 8.1.9"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.1"
},
{
"status": "affected",
"version": "\u003e= 8.2.2"
},
{
"status": "affected",
"version": "\u003e= 8.2.3"
},
{
"status": "affected",
"version": "\u003e= 8.2.4"
},
{
"status": "affected",
"version": "\u003e= 8.2.5"
},
{
"status": "affected",
"version": "\u003e= 8.2.6"
},
{
"status": "affected",
"version": "\u003e= 8.2.7"
},
{
"status": "affected",
"version": "\u003e= 8.2.8"
},
{
"status": "affected",
"version": "\u003e= 8.2.9"
},
{
"status": "affected",
"version": "\u003e= 9.0.0"
},
{
"status": "affected",
"version": "\u003e= 9.0.1"
},
{
"status": "affected",
"version": "\u003e= 9.0.2"
},
{
"status": "affected",
"version": "\u003e= 9.0.3"
},
{
"status": "affected",
"version": "\u003e= 9.1.0"
},
{
"status": "affected",
"version": "\u003e= 9.1.1"
},
{
"status": "affected",
"version": "\u003e= 9.1.2"
},
{
"status": "affected",
"version": "\u003e= 9.1.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.1"
},
{
"status": "affected",
"version": "\u003e= 9.2.3"
},
{
"status": "affected",
"version": "\u003e= 9.2.4"
},
{
"status": "affected",
"version": "\u003e= 9.2.5"
},
{
"status": "affected",
"version": "\u003e= 9.2.6"
},
{
"status": "affected",
"version": "\u003e= 9.3.0"
},
{
"status": "affected",
"version": "\u003e= 9.3.1"
},
{
"status": "affected",
"version": "\u003e= 9.3.2"
},
{
"status": "affected",
"version": "\u003e= 9.3.3"
},
{
"status": "unaffected",
"version": "\u003e= 9.2.7"
},
{
"status": "unaffected",
"version": "\u003e= 9.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "a private user"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.\r\n JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)\r\n\r\n Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was discovered by a private user and reported via our Bug Bounty program"
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T18:00:00.752Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"url": "https://jira.atlassian.com/browse/BAM-25168"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22516",
"datePublished": "2023-11-21T18:00:00.752Z",
"dateReserved": "2023-01-01T00:01:22.332Z",
"dateUpdated": "2024-10-21T14:08:32.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26067
Vulnerability from cvelistv5
Published
2021-01-28 01:45
Modified
2024-09-16 18:34
Severity ?
EPSS score ?
Summary
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-21215 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-01-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Data Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-28T01:45:16",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-01-23T00:00:00",
"ID": "CVE-2021-26067",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.2.2"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sensitive Data Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21215",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-26067",
"datePublished": "2021-01-28T01:45:16.145818Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T18:34:10.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26137
Vulnerability from cvelistv5
Published
2022-07-20 17:25
Modified
2024-10-03 17:10
Severity ?
EPSS score ?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-21795 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/BSERV-13370 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CONFSERVER-79476 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CWD-5815 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/FE-7410 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CRUC-8541 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-73897 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JSDSERVER-11863 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Server |
Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.1",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:48:52.174175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:10:16.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:23",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26137",
"datePublished": "2022-07-20T17:25:23.603830Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T17:10:16.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26136
Vulnerability from cvelistv5
Published
2022-07-20 17:25
Modified
2024-10-03 16:43
Severity ?
EPSS score ?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-21795 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/BSERV-13370 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CONFSERVER-79476 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CWD-5815 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/FE-7410 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CRUC-8541 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-73897 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JSDSERVER-11863 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Server |
Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:26:49.090400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:43:16.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26136",
"datePublished": "2022-07-20T17:25:18.803466Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T16:43:16.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-8361
Vulnerability from cvelistv5
Published
2016-02-08 19:00
Modified
2024-08-06 08:13
Severity ?
EPSS score ?
Summary
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/537347/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://jira.atlassian.com/browse/BAM-17102 | x_refsource_CONFIRM | |
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8361",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17102",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"name": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8361",
"datePublished": "2016-02-08T19:00:00",
"dateReserved": "2015-11-25T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14589
Vulnerability from cvelistv5
Published
2017-12-13 15:00
Modified
2024-09-16 19:10
Severity ?
EPSS score ?
Summary
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-18842 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/102188 | vdb-entry, x_refsource_BID | |
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:38.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"name": "102188",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "before 6.1.6 (the fixed version for 6.1.x)"
},
{
"status": "affected",
"version": "from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"name": "102188",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-14589",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "before 6.1.6 (the fixed version for 6.1.x)"
},
{
"version_value": "from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-18842",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"name": "102188",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102188"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-14589",
"datePublished": "2017-12-13T15:00:00Z",
"dateReserved": "2017-09-19T00:00:00",
"dateUpdated": "2024-09-16T19:10:55.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18040
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 20:16
Severity ?
EPSS score ?
Summary
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-19661 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103070 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"name": "103070",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103070"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.2.0"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"name": "103070",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103070"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.2.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19661",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"name": "103070",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103070"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18040",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-16T20:16:51.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18042
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-17 00:32
Severity ?
EPSS score ?
Summary
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/103110 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/BAM-19663 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:50.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103110",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.3.1"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-23T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103110",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18042",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103110",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103110"
},
{
"name": "https://jira.atlassian.com/browse/BAM-19663",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18042",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-01-17T00:00:00",
"dateUpdated": "2024-09-17T00:32:15.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-9514
Vulnerability from cvelistv5
Published
2017-10-12 13:00
Modified
2024-08-05 17:11
Severity ?
EPSS score ?
Summary
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.
References
| ▼ | URL | Tags |
|---|---|---|
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/101269 | vdb-entry, x_refsource_BID |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"name": "101269",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101269"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "from 6.0.0 before 6.0.5"
},
{
"status": "affected",
"version": "from 6.1.0 before 6.1.4"
},
{
"status": "affected",
"version": "from 6.2.0 before 6.2.1"
}
]
}
],
"datePublic": "2017-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-17T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"name": "101269",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101269"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"ID": "CVE-2017-9514",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "from 6.0.0 before 6.0.5"
},
{
"version_value": "from 6.1.0 before 6.1.4"
},
{
"version_value": "from 6.2.0 before 6.2.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"name": "101269",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101269"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-9514",
"datePublished": "2017-10-12T13:00:00",
"dateReserved": "2017-06-07T00:00:00",
"dateUpdated": "2024-08-05T17:11:02.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14590
Vulnerability from cvelistv5
Published
2017-12-13 15:00
Modified
2024-09-16 22:50
Severity ?
EPSS score ?
Summary
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-18843 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/102193 | vdb-entry, x_refsource_BID | |
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:34:39.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"name": "102193",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "from 2.7.0 before 6.1.6 (the fixed version for 6.1.x)"
},
{
"status": "affected",
"version": "from 6.2.0 before 6.2.5"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"name": "102193",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-14590",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "from 2.7.0 before 6.1.6 (the fixed version for 6.1.x)"
},
{
"version_value": "from 6.2.0 before 6.2.5"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-18843",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"name": "102193",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102193"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-14590",
"datePublished": "2017-12-13T15:00:00Z",
"dateReserved": "2017-09-19T00:00:00",
"dateUpdated": "2024-09-16T22:50:26.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5224
Vulnerability from cvelistv5
Published
2018-03-29 13:00
Modified
2024-09-16 18:04
Severity ?
EPSS score ?
Summary
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/103653 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/BAM-19743 | x_refsource_CONFIRM | |
| https://confluence.atlassian.com/x/PS9sO | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:26:46.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103653",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.7.1",
"versionType": "custom"
},
{
"lessThan": "6.3.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-03-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Argument Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-05T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "103653",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-03-28T00:00:00",
"ID": "CVE-2018-5224",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.7.1"
},
{
"version_affected": "\u003c",
"version_value": "6.3.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Argument Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103653",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103653"
},
{
"name": "https://jira.atlassian.com/browse/BAM-19743",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"name": "https://confluence.atlassian.com/x/PS9sO",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/x/PS9sO"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-5224",
"datePublished": "2018-03-29T13:00:00Z",
"dateReserved": "2018-01-05T00:00:00",
"dateUpdated": "2024-09-16T18:04:23.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-9757
Vulnerability from cvelistv5
Published
2016-02-08 19:00
Modified
2024-08-06 13:55
Severity ?
EPSS score ?
Summary
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/537347/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html | x_refsource_CONFIRM | |
| https://jira.atlassian.com/browse/BAM-17099 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9757",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160122 January 2016 - Bamboo - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17099",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"name": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9757",
"datePublished": "2016-02-08T19:00:00",
"dateReserved": "2015-11-25T00:00:00",
"dateUpdated": "2024-08-06T13:55:04.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18080
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 20:47
Severity ?
EPSS score ?
Summary
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-19664 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.3.1"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-02T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18080",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19664",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18080",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T20:47:51.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2926
Vulnerability from cvelistv5
Published
2012-05-22 15:00
Modified
2024-08-06 19:50
Severity ?
EPSS score ?
Summary
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75682 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/49146 | third-party-advisory, x_refsource_SECUNIA | |
| http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://osvdb.org/81993 | vdb-entry, x_refsource_OSVDB | |
| http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/53595 | vdb-entry, x_refsource_BID | |
| http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75697 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:50:05.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/49146"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81993"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/49146"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81993"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2926",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "fisheye-crucible-xml-dos(75682)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"name": "49146",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/49146"
},
{
"name": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"name": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"name": "81993",
"refsource": "OSVDB",
"url": "http://osvdb.org/81993"
},
{
"name": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"name": "53595",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53595"
},
{
"name": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17",
"refsource": "CONFIRM",
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"name": "jira-xml-dos(75697)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2926",
"datePublished": "2012-05-22T15:00:00",
"dateReserved": "2012-05-22T00:00:00",
"dateUpdated": "2024-08-06T19:50:05.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-5229
Vulnerability from cvelistv5
Published
2016-08-02 16:00
Modified
2024-08-06 00:53
Severity ?
EPSS score ?
Summary
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/539003/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/92057 | vdb-entry, x_refsource_BID | |
| https://jira.atlassian.com/browse/BAM-17736 | x_refsource_CONFIRM | |
| https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:53:48.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160726 July 2016 - Bamboo Server - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"name": "92057",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160726 July 2016 - Bamboo Server - Critical Security Advisory",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"name": "92057",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-5229",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160726 July 2016 - Bamboo Server - Critical Security Advisory",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"name": "92057",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92057"
},
{
"name": "https://jira.atlassian.com/browse/BAM-17736",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"name": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-5229",
"datePublished": "2016-08-02T16:00:00",
"dateReserved": "2016-06-01T00:00:00",
"dateUpdated": "2024-08-06T00:53:48.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-6576
Vulnerability from cvelistv5
Published
2017-10-02 18:00
Modified
2024-08-06 07:22
Severity ?
EPSS score ?
Summary
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/536747/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://confluence.atlassian.com/x/Hw7RLg | x_refsource_CONFIRM | |
| https://jira.atlassian.com/browse/BAM-16439 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151023 CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151023 CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6576",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151023 CVE-2015-6576: Bamboo - Deserialisation resulting in remote code execution",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"name": "https://confluence.atlassian.com/x/Hw7RLg",
"refsource": "CONFIRM",
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"name": "https://jira.atlassian.com/browse/BAM-16439",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"name": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6576",
"datePublished": "2017-10-02T18:00:00",
"dateReserved": "2015-08-21T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18082
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 18:38
Severity ?
EPSS score ?
Summary
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-19666 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:47.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.2.3"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-02T13:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18082",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.2.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19666",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18082",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T18:38:32.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-18081
Vulnerability from cvelistv5
Published
2018-02-02 14:00
Modified
2024-09-16 23:35
Severity ?
EPSS score ?
Summary
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-19665 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103087 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"name": "103087",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bamboo",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "prior to 6.3.1"
}
]
}
],
"datePublic": "2018-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T10:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"name": "103087",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103087"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-02-02T00:00:00",
"ID": "CVE-2017-18081",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo",
"version": {
"version_data": [
{
"version_value": "prior to 6.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-19665",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"name": "103087",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103087"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18081",
"datePublished": "2018-02-02T14:00:00Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T23:35:48.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19666 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19666 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CB48F4C-78DE-4BD7-988D-6D83286CA99F",
"versionEndExcluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch."
},
{
"lang": "es",
"value": "El recurso de ramas de configuraci\u00f3n de plan en Atlassian Bamboo, en versiones anteriores a la 6.2.3, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una rama."
}
],
"id": "CVE-2017-18082",
"lastModified": "2024-11-21T03:19:19.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:01.217",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19666"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-21 18:15
Modified
2024-11-21 07:44
Severity ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BD39D93-971A-4C82-9090-E502D250851A",
"versionEndExcluding": "9.2.7",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "191F8EA5-2812-4A23-98AB-28C4843CDE15",
"versionEndExcluding": "9.3.4",
"versionStartIncluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.\r\n JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)\r\n\r\n Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was discovered by a private user and reported via our Bug Bounty program"
},
{
"lang": "es",
"value": "Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo) de alta gravedad se introdujo en las versiones 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0 y 9.3.0 de Bamboo Data Center and Server. Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo), con una puntuaci\u00f3n CVSS de 8.5, permite a un atacante autenticado ejecutar c\u00f3digo arbitrario que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Bamboo Data Center and Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: Bamboo Data Center and Server 9.2: actualice a una versi\u00f3n superior o igual a 9.2.7. Se debe utilizar JDK 1.8u121+ en caso de que se utilice Java 8 para ejecutar Bamboo Data Center and Server. Consulte las notas de actualizaci\u00f3n de Bamboo 9.2 (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html) Bamboo Data Center and Server 9.3: actualice a una versi\u00f3n superior o igual a 9.3. 4 Consulte las notas de la versi\u00f3n ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). Puede descargar la \u00faltima versi\u00f3n de Bamboo Data Center and Server desde el centro de descargas ([https://www.atlassian.com/software/bamboo/download-archives]). Esta vulnerabilidad fue descubierta por un usuario privado y reportada a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2023-22516",
"lastModified": "2024-11-21T07:44:58.067",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-21T18:15:07.910",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-25168"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103071 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19662 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103071 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19662 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17B08059-ED44-4125-9AA6-0C8C42B1E21E",
"versionEndExcluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
},
{
"lang": "es",
"value": "El recurso viewDeploymentVersionJiraIssuesDialog en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versi\u00f3n."
}
],
"id": "CVE-2017-18041",
"lastModified": "2024-11-21T03:19:13.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.937",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19662"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103087 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19665 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103087 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19665 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E848FD-F297-4BA3-A186-F1C8494373CA",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie."
},
{
"lang": "es",
"value": "El recurso signupUser en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el valor de la cookie del token csrf."
}
],
"id": "CVE-2017-18081",
"lastModified": "2024-11-21T03:19:19.293",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:01.137",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103087"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19665"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-08 19:59
Modified
2024-11-21 02:38
Severity ?
Summary
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2764BBDA-4FA2-4FFD-A126-823CB52D0D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42875600-4DA1-4574-9F9D-0FB8AE61DD10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3C79631B-6B9F-4FC0-9B12-17CD656A1CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2337D88-9821-4794-B0C8-6FA73BD158C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F087A2-790D-4D36-82F0-83C6BF504216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2162E45E-58ED-43B5-905F-C2E7475E0DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69BE15C9-542E-4586-8B05-BBE1508266E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8F7C6B-C6DF-4106-83FA-C8BCB2A0D02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3D461805-C648-420C-9352-64634DC06CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F995A4F3-EDB9-431C-864E-253EACB523A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B407F0C-D5CA-4D33-A124-CBEC74B5EF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1B608F-A264-4FFB-9250-311ECEC065E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5259D2D7-ABAE-4024-AA80-77D7F6A2AD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E42A908E-D53D-4A7A-917E-FB66C846CC55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41AEA85-6758-448C-B7AC-87E252380BBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F1728-FBE3-4FEF-8CA9-E613D5873FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5021430D-C84B-4F67-A490-A0D6C87B25D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "64083DE3-8072-4CAC-B374-5FF402E048A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A940B1E-3E73-4A3E-912B-BF482776CF5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DB6A4F7-4827-4965-8790-41A60AAD98C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA69F796-66AC-49BA-BF8C-348E6FDB2176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE5577-DFD8-42E7-A70A-3402D6386E79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA5C7C8-CDD5-4D22-A0B6-F7DEC87CDC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B19625B6-CDBE-485B-BAF1-53ABB770C7B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "866C3CB4-B8FE-4D22-B130-67139D193B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD2FA24-8D68-4F31-8F88-A0930A92591B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F3C3168-20E6-41D2-845B-5A661DCF6A21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BD0EAF-1C94-43A0-9133-9ADD8CAB8F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4074958-998F-4333-8C81-45D0A765FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5E5257-9004-4874-86A0-A3AB4230CE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F3A23-71C8-4F65-A739-26BAAF1D9620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2539517E-733A-427A-A0DA-F20E6C8A0A0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE47E00-3496-4E22-9BDC-7BAF77516249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B207B5EC-B2F2-4ED2-94B7-20CC15D542B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "70595742-7AB8-4A9D-94B4-8EADA093DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DD49DEBD-557F-4D65-9DA3-5A4CA0CB014C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE8039C-2F64-4056-AADC-66408FADB090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36190377-CD45-458D-A533-5D68FC38753F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2A7E6EF-CEF1-4A6A-8C1F-3BA2CF17D9B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DF4FF-4C86-4D9F-882C-96482F69F871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7760BAB-C6F3-40B4-8A65-0778C91B2481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D38BBD36-6F5F-44E4-8B74-A1F2E6E9ADE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "173874C7-0A68-447D-9284-6904BBBA8D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "124E0B33-9C58-4AC9-9064-EE9F29FA56CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89526493-E441-43A6-9C8B-FF16AFD9060F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1921815-49AD-474C-8898-614C2209CAEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0761166B-7FD9-4574-8C13-0336343ADC46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B13D9DB-83A0-42AE-A665-214A71890ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF901B9B-49DE-4676-8245-E280CF5A7EFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1D8D9B-E39E-4E77-831E-1D417ACEA5C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "951E6F5B-C905-40F2-B164-647A3E948EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B408EA00-A128-4927-BFBB-AF0B42EABA56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6E80ED-818F-4438-BD2A-AD4847178ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0876B2-B95C-464B-9479-CEAA9A64E01A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ABFD011B-EC46-4BFC-AAAB-ABE6612B85E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DCAE8C05-486F-4EC5-B084-2D55331C5EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D58EB432-8BFF-4CEC-B46C-695E77E2435C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "103A0455-79B1-4135-9384-C673A2459AEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port."
},
{
"lang": "es",
"value": "M\u00faltiples servicios no especificados en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 no requieren autenticaci\u00f3n, lo que permite a atacantes remotos obtener informaci\u00f3n sensible, modificar ajustes o administrar agentes de construcci\u00f3n a trav\u00e9s de vectores desconocidos que involucran al puerto JMS."
}
],
"id": "CVE-2015-8361",
"lastModified": "2024-11-21T02:38:22.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-08T19:59:04.563",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17102"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-08 19:59
Modified
2024-11-21 02:21
Severity ?
Summary
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2764BBDA-4FA2-4FFD-A126-823CB52D0D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42875600-4DA1-4574-9F9D-0FB8AE61DD10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3C79631B-6B9F-4FC0-9B12-17CD656A1CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2337D88-9821-4794-B0C8-6FA73BD158C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F087A2-790D-4D36-82F0-83C6BF504216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2162E45E-58ED-43B5-905F-C2E7475E0DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69BE15C9-542E-4586-8B05-BBE1508266E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8F7C6B-C6DF-4106-83FA-C8BCB2A0D02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3D461805-C648-420C-9352-64634DC06CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F995A4F3-EDB9-431C-864E-253EACB523A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B407F0C-D5CA-4D33-A124-CBEC74B5EF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1B608F-A264-4FFB-9250-311ECEC065E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5259D2D7-ABAE-4024-AA80-77D7F6A2AD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E42A908E-D53D-4A7A-917E-FB66C846CC55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41AEA85-6758-448C-B7AC-87E252380BBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F1728-FBE3-4FEF-8CA9-E613D5873FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5021430D-C84B-4F67-A490-A0D6C87B25D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "64083DE3-8072-4CAC-B374-5FF402E048A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A940B1E-3E73-4A3E-912B-BF482776CF5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DB6A4F7-4827-4965-8790-41A60AAD98C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA69F796-66AC-49BA-BF8C-348E6FDB2176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE5577-DFD8-42E7-A70A-3402D6386E79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA5C7C8-CDD5-4D22-A0B6-F7DEC87CDC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B19625B6-CDBE-485B-BAF1-53ABB770C7B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "866C3CB4-B8FE-4D22-B130-67139D193B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD2FA24-8D68-4F31-8F88-A0930A92591B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F3C3168-20E6-41D2-845B-5A661DCF6A21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BD0EAF-1C94-43A0-9133-9ADD8CAB8F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4074958-998F-4333-8C81-45D0A765FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5E5257-9004-4874-86A0-A3AB4230CE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F3A23-71C8-4F65-A739-26BAAF1D9620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2539517E-733A-427A-A0DA-F20E6C8A0A0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE47E00-3496-4E22-9BDC-7BAF77516249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B207B5EC-B2F2-4ED2-94B7-20CC15D542B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "70595742-7AB8-4A9D-94B4-8EADA093DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DD49DEBD-557F-4D65-9DA3-5A4CA0CB014C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE8039C-2F64-4056-AADC-66408FADB090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36190377-CD45-458D-A533-5D68FC38753F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2A7E6EF-CEF1-4A6A-8C1F-3BA2CF17D9B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DF4FF-4C86-4D9F-882C-96482F69F871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7760BAB-C6F3-40B4-8A65-0778C91B2481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D38BBD36-6F5F-44E4-8B74-A1F2E6E9ADE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "173874C7-0A68-447D-9284-6904BBBA8D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "124E0B33-9C58-4AC9-9064-EE9F29FA56CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89526493-E441-43A6-9C8B-FF16AFD9060F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1921815-49AD-474C-8898-614C2209CAEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0761166B-7FD9-4574-8C13-0336343ADC46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B13D9DB-83A0-42AE-A665-214A71890ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF901B9B-49DE-4676-8245-E280CF5A7EFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1D8D9B-E39E-4E77-831E-1D417ACEA5C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "951E6F5B-C905-40F2-B164-647A3E948EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B408EA00-A128-4927-BFBB-AF0B42EABA56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6E80ED-818F-4438-BD2A-AD4847178ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0876B2-B95C-464B-9479-CEAA9A64E01A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ABFD011B-EC46-4BFC-AAAB-ABE6612B85E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DCAE8C05-486F-4EC5-B084-2D55331C5EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D58EB432-8BFF-4CEC-B46C-695E77E2435C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "103A0455-79B1-4135-9384-C673A2459AEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message."
},
{
"lang": "es",
"value": "La API Ignite Realtime Smack XMPP, como se utiliza en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0, permite a servidores XMPP remotos configurados ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de datos serializados en un mensaje XMPP."
}
],
"id": "CVE-2014-9757",
"lastModified": "2024-11-21T02:21:36.307",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-08T19:59:00.127",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17099"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-14 20:29
Modified
2024-11-21 03:34
Severity ?
Summary
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/99090 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99090 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.11.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FA0783B9-8610-4710-B0D6-50220D72231A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0FA3E09-85DE-48CA-AEC8-ECC5FAA53A5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B16FA0-4131-4C34-AEC8-69F1336FC496",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E2EBFD-D17C-4539-93D6-5542FC81BD88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.4:*:*:*:*:*:*:*",
"matchCriteriaId": "34040BD5-D443-474E-9AD8-6CD4B2F1F31D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0FDCCD33-4DB2-4907-A122-D1EE0B41AAC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EBC89FA-A835-45A8-B37A-90ED9134F7D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "30879C5B-3AC0-46B4-81F5-186ED881840F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "49E6287B-03F0-443A-ADCB-D93ED072409C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B857798E-7088-40D3-A6EF-9F1D674A7DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1A330DDD-E507-42C4-B458-F9825059AF53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB54ED38-ABD5-4979-BDB8-0461BA4FE904",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "07E21495-A028-4F71-B21C-FBADF3BA8543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "493B321D-0034-4AED-8270-3055470BFA77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DBFD20A5-B693-4801-9662-79FD68D26FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "888DEC36-D4F3-403B-A2F8-83B3AF307934",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "87A11F1D-704A-4FE8-98A6-F1880E20B8A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7CB66A4E-79FD-4793-9218-65A3472ED517",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D505A45B-431C-4C5A-B6FC-96C32D31FB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.15.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E03895CD-67B9-4F3C-A4C5-9DBED3AF3014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DACC3EE-5898-457C-B9FE-DCBA2634DE4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo."
},
{
"lang": "es",
"value": "Atlassian Bamboo, en versiones 5.x anteriores a la 5.15.7 y versiones 6.x anteriores a la 6.0.1, no comprob\u00f3 correctamente si un usuario que crea un proyecto de despliegue ten\u00eda el permiso de edici\u00f3n y, por lo tanto, los derechos para hacerlo. Un atacante que pueda iniciar sesi\u00f3n en Bamboo como usuario sin el permiso de edici\u00f3n para proyectos de despliegue puede emplear esta vulnerabilidad, siempre y cuando exista un plan con un \"green build\" para crear un proyecto de despliegue y ejecute c\u00f3digo arbitrario en un agente Bamboo disponible. Por defecto, un agente local est\u00e1 habilitado."
}
],
"id": "CVE-2017-8907",
"lastModified": "2024-11-21T03:34:57.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2017-06-14T20:29:00.140",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99090"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-08 04:15
Modified
2024-11-21 04:27
Severity ?
Summary
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:troubleshooting_and_support:*:*:*:*:*:*:*:*",
"matchCriteriaId": "093A33BE-D93B-4CBC-9BF3-B37207CBAD84",
"versionEndExcluding": "1.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A17D5A1F-2408-4768-9DC3-F850B21B64AD",
"versionEndExcluding": "6.10.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF79AB35-E420-4475-AD28-FC219C636C8B",
"versionEndExcluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC203A88-CA6B-4F1A-A68D-9C2CDE8F67FC",
"versionEndExcluding": "7.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1361951B-0754-45FF-96E4-8A886C24411B",
"versionEndExcluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40EB5F54-C9BD-4299-A616-E3A8E20C77FB",
"versionEndExcluding": "4.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "452D57FA-0A0B-486F-9D4B-45487B68FFB9",
"versionEndExcluding": "4.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76FE371E-3000-464E-ADEE-033BF2989429",
"versionEndExcluding": "8.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."
},
{
"lang": "es",
"value": "El plugin Atlassian Troubleshooting and Support anterior a versi\u00f3n 1.17.2, permite a un usuario sin privilegios iniciar escaneos de registros peri\u00f3dicos y enviar los resultados a una direcci\u00f3n de correo electr\u00f3nico especificada por el usuario debido a una falta de comprobaci\u00f3n de autorizaci\u00f3n. El mensaje de correo electr\u00f3nico puede contener informaci\u00f3n de configuraci\u00f3n sobre la aplicaci\u00f3n en la que el plugin est\u00e1 instalado. Se incluye una versi\u00f3n vulnerable del plugin con Bitbucket Server/Data Center versiones anteriores a 6.6.0, Confluence Server / Data Center versiones anteriores a 7.0.1, Jira Server / Data Center versiones anteriores a 8.3.2, Crowd / Crowd Data Center versiones anteriores a 3.6.0, Fisheye versiones anteriores a 4.7.2, Crucible versiones anteriores a 4.7.2 y Bamboo versiones anteriores a 6.10.2."
}
],
"id": "CVE-2019-15005",
"lastModified": "2024-11-21T04:27:51.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-08T04:15:10.307",
"references": [
{
"source": "security@atlassian.com",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-20647"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-20 18:15
Modified
2024-11-21 06:53
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "218C960A-04C6-4242-BEBA-C81CF5F1F722",
"versionEndExcluding": "7.2.10",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E360CDE0-FD1E-4337-8268-DB89CF605EE0",
"versionEndExcluding": "8.0.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0913EE0-2046-4E7E-966D-DC894E34D12B",
"versionEndExcluding": "8.1.8",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D182C1B1-A5FF-4777-9835-4E9114BB68DC",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCD53E4-3169-4E8A-88D1-38BE51D09DD3",
"versionEndExcluding": "7.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B878E40-95A7-40A7-9C52-6BC0C2FD3F54",
"versionEndExcluding": "7.17.8",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46305D5A-7F7B-4A04-9DAD-E582D1193A7E",
"versionEndExcluding": "7.19.5",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A96B135B-9272-457E-A557-6566554262D3",
"versionEndExcluding": "7.20.2",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62956861-BEDE-40C8-B628-C831087E7BDB",
"versionEndExcluding": "7.21.2",
"versionStartIncluding": "7.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7A85565F-3F80-4E00-A706-AB4B2EAA4AFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99E2E3C0-CDF0-4D79-80A6-85E71B947ED9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C543CA6-8E8A-476C-AB27-614DF4EC68A5",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45FD913B-45DE-4CA8-9733-D62F54B19E74",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12E753EB-0D31-448B-B8DE-0A95434CC97C",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE114494-74F0-454C-AAC4-8B8E5F1C67D0",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90BB3572-29ED-415F-AD34-00EB76271F9C",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EF756A-B4E9-4E5D-BE6F-02CE95F12C9C",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A56B6A10-E23F-49EF-8C07-1AEDFCAE2788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8BE634-1599-4790-9410-6CA43BC60C4D",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52E68DFD-48F5-4949-AFEA-3829CA5DFC04",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCDEC6C-4515-4CAA-9D82-7BF68A3AAE7E",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9948F94-DF67-4E3C-8CD4-417D57FBC60F",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30E63ECB-85A8-4D41-A9B5-9FFF18D9CDB1",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "694171BD-FAE2-472C-8183-04BCA2F7B9A7",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC5E81B-DA4B-45E7-9584-4B576E49FD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE028964-B3FC-4883-9967-68DE46EE7F6F",
"versionEndExcluding": "4.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57DC9E2A-4C89-420D-9330-F11E56BF2F83",
"versionEndExcluding": "4.4.2",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C50A718F-C67B-4462-BB7E-F80408DEF07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92329A2E-13E8-4818-85AB-3E7F479411EF",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DDE751-CA88-4CFB-9E60-4243851B4B53",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91B8507-A7A7-4B74-9999-F1DEA9F487A9",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963AE427-2897-42CB-AE11-654D700E690B",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CD8891-BB97-4AD3-BEE4-6CCA0D8A2D85",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E73A5202-6114-48E6-8F9B-C03B2E707055",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22AB11D-1D73-45DC-803C-146EFED18CDA",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2091E9-0B14-4786-852F-454C56D20839",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "1451C219-8AAA-4165-AE2C-033EF7B6F93A",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*",
"matchCriteriaId": "BD23F987-0F14-4938-BB51-4EE61C24EB62",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "39F77953-41D7-4398-9F07-2A057A993762",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "CADBE0E7-36D9-4F6F-BEE6-A1E0B9428C2A",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "DC0DB08B-2034-4691-A7B2-3E5F8B6318B1",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "97A17BE7-7CCC-46D8-A317-53E2B026DF6E",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en varios productos de Atlassian permite a un atacante remoto no autenticado omitir los filtros Servlet usados por aplicaciones de primera y tercera parte. El impacto depende de los filtros usados por cada aplicaci\u00f3n y de c\u00f3mo son usados los filtros. Esta vulnerabilidad puede resultar en una omisi\u00f3n de la autenticaci\u00f3n y un ataque de tipo cross-site scripting. Atlassian ha publicado actualizaciones que corrigen la causa principal de esta vulnerabilidad, pero no ha enumerado exhaustivamente todas las consecuencias potenciales de esta vulnerabilidad. Est\u00e1n afectadas las versiones de Atlassian Bamboo anteriores a 8.0.9, desde 8.1.0 hasta 8.1.8, y desde la 8.2.0 hasta 8.2.4. Las versiones de Atlassian Bitbucket est\u00e1n afectadas anteriores a 7.6.16, desde la 7.7.0 anteriores a 7.17.8, desde la 7.18.0 anteriores a 7.19.5, desde la 7.20.0 anteriores a 7.20.2, desde la 7.21.0 anteriores a 7.21.2, y las versiones 8.0.0 y 8.1.0. Est\u00e1n afectadas las versiones de Atlassian Confluence anteriores a 7.4.17, desde la 7.5.0 anteriores a 7.13.7, desde la 7.14.0 anteriores a 7.14.3, desde la 7.15.0 anteriores a 7.15.2, desde la 7.16.0 anteriores a 7.16.4, desde la 7.17.0 anteriores a 7.17.4 y la versi\u00f3n 7.21.0. Est\u00e1n afectadas las versiones de Atlassian Crowd anteriores a 4.3.8, desde la 4.4.0 hasta 4.4.2, y la versi\u00f3n 5.0.0. Est\u00e1n afectadas las versiones de Atlassian Fisheye y Crucible anteriores a 4.8.10. Est\u00e1n afectadas las versiones de Atlassian Jira anteriores a 8.13.22, desde la 8.14.0 hasta 8.20.10, y desde la 8.21.0 hasta 8.22.4. Las versiones de Atlassian Jira Service Management est\u00e1n afectadas anteriores a 4.13.22, desde la 4.14.0 anteriores a 4.20.10, y desde la 4.21.0 anteriores a 4.22.4"
}
],
"id": "CVE-2022-26136",
"lastModified": "2024-11-21T06:53:30.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-20T18:15:08.487",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-180"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-08 19:59
Modified
2024-11-21 02:38
Severity ?
Summary
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2702AA86-6CD2-4B9F-9AD8-A151A6E95A43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2764BBDA-4FA2-4FFD-A126-823CB52D0D06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "42875600-4DA1-4574-9F9D-0FB8AE61DD10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3C79631B-6B9F-4FC0-9B12-17CD656A1CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2337D88-9821-4794-B0C8-6FA73BD158C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F087A2-790D-4D36-82F0-83C6BF504216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2162E45E-58ED-43B5-905F-C2E7475E0DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69BE15C9-542E-4586-8B05-BBE1508266E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8F7C6B-C6DF-4106-83FA-C8BCB2A0D02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3D461805-C648-420C-9352-64634DC06CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F995A4F3-EDB9-431C-864E-253EACB523A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B407F0C-D5CA-4D33-A124-CBEC74B5EF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1B608F-A264-4FFB-9250-311ECEC065E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5259D2D7-ABAE-4024-AA80-77D7F6A2AD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E42A908E-D53D-4A7A-917E-FB66C846CC55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41AEA85-6758-448C-B7AC-87E252380BBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F1728-FBE3-4FEF-8CA9-E613D5873FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5021430D-C84B-4F67-A490-A0D6C87B25D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "64083DE3-8072-4CAC-B374-5FF402E048A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A940B1E-3E73-4A3E-912B-BF482776CF5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DB6A4F7-4827-4965-8790-41A60AAD98C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CA69F796-66AC-49BA-BF8C-348E6FDB2176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "98DE5577-DFD8-42E7-A70A-3402D6386E79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA5C7C8-CDD5-4D22-A0B6-F7DEC87CDC9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B19625B6-CDBE-485B-BAF1-53ABB770C7B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "866C3CB4-B8FE-4D22-B130-67139D193B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD2FA24-8D68-4F31-8F88-A0930A92591B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F3C3168-20E6-41D2-845B-5A661DCF6A21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3BD0EAF-1C94-43A0-9133-9ADD8CAB8F87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A4074958-998F-4333-8C81-45D0A765FB6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5E5257-9004-4874-86A0-A3AB4230CE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F3A23-71C8-4F65-A739-26BAAF1D9620",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2539517E-733A-427A-A0DA-F20E6C8A0A0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE47E00-3496-4E22-9BDC-7BAF77516249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B207B5EC-B2F2-4ED2-94B7-20CC15D542B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "70595742-7AB8-4A9D-94B4-8EADA093DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DD49DEBD-557F-4D65-9DA3-5A4CA0CB014C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE8039C-2F64-4056-AADC-66408FADB090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "36190377-CD45-458D-A533-5D68FC38753F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E2A7E6EF-CEF1-4A6A-8C1F-3BA2CF17D9B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F3DF4FF-4C86-4D9F-882C-96482F69F871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7760BAB-C6F3-40B4-8A65-0778C91B2481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D38BBD36-6F5F-44E4-8B74-A1F2E6E9ADE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "173874C7-0A68-447D-9284-6904BBBA8D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "124E0B33-9C58-4AC9-9064-EE9F29FA56CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89526493-E441-43A6-9C8B-FF16AFD9060F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1921815-49AD-474C-8898-614C2209CAEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0761166B-7FD9-4574-8C13-0336343ADC46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B13D9DB-83A0-42AE-A665-214A71890ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF901B9B-49DE-4676-8245-E280CF5A7EFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1D8D9B-E39E-4E77-831E-1D417ACEA5C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "951E6F5B-C905-40F2-B164-647A3E948EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B408EA00-A128-4927-BFBB-AF0B42EABA56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6E80ED-818F-4438-BD2A-AD4847178ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EF0876B2-B95C-464B-9479-CEAA9A64E01A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ABFD011B-EC46-4BFC-AAAB-ABE6612B85E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DCAE8C05-486F-4EC5-B084-2D55331C5EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D58EB432-8BFF-4CEC-B46C-695E77E2435C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "103A0455-79B1-4135-9384-C673A2459AEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "087D5B44-B9A5-480C-9DDA-16132A79E2FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BE87C15D-09B8-4B5A-866F-5C2C8A43FB01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C2A5DB02-607E-4147-86BD-205BF33C8A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "54646B4B-05D3-4628-980D-D77C4AAF87F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4BFD6A97-95B8-4536-AA16-713D76CAC446",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9ACEC08-CD6D-4B8F-8A82-A75F925D130B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "352DED96-3E03-48EE-9DF2-0DE73E707845",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9E2D3C-D744-4730-83C6-CAFA0C41C916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DA7AC6DD-FE26-4A33-99BC-E3C0B90C1A93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95EB3E57-96E8-42EC-95BE-B14770E450C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "21BC1141-5BE1-4178-9DD7-B7E3CFA59C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E64CB47F-1D9B-4C2F-BA47-713F886F2E73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E209CB6F-F792-41D9-BC09-41FF771E3659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650A769F-762F-431F-A6B4-3F4AD97C3A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEBC112-E305-4CE6-A935-1D8DBB5A6ED6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "72284F9F-A0DA-4BED-B2CA-83D525ED4A37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF3C458-CA8A-4128-BE1C-0AF405D4CC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C76C64DA-FAB9-4E72-9F71-088406451285",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3DF61CCA-0502-4DBB-990A-6F602E947C95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F0F2F76E-8150-4432-96A8-52C1D88C1784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A2F5445-4C2E-49BF-8B5F-B4AACE00CC5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "14BAF1A9-0CBF-4B4F-AD8A-7511659D4FA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "38CC432B-4F6C-48A9-9781-F721D254EBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4CE881C-9283-45C3-8982-5887C85C1962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DCD084-030A-4CEB-A16E-765B795E17E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E64A9422-8C57-4AA8-A166-1C287C09BA48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "E44C5F8E-3414-46A8-AC8E-FEF270CBA38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9027FC28-00AA-4556-AA9F-C9EF816DFD78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "209C5313-C450-488E-BF5E-531415B8A484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F42F8BBF-3FEF-4922-ACEF-89899337F574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9AAA21-4223-4643-9E39-8DD3FF850B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F9C45391-347E-4343-8585-58400A219FBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port."
},
{
"lang": "es",
"value": "Un recurso no especificado en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de datos serializados al puerto JMS."
}
],
"id": "CVE-2015-8360",
"lastModified": "2024-11-21T02:38:21.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-08T19:59:03.563",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537347/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-17101"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-13 15:29
Modified
2024-11-21 03:13
Severity ?
Summary
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102193 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Patch, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-18843 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102193 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-18843 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D05A0A86-3C17-4983-B592-C95CC753A2B2",
"versionEndExcluding": "6.1.6",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF607C7-BC76-4660-B9F6-C8D56D19BE20",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
},
{
"lang": "es",
"value": "Bamboo no comprob\u00f3 que el nombre de una rama en un repositorio de Mercurial conten\u00eda par\u00e1metros de argumento. Un atacante que tiene permiso para crear un repositorio en Bamboo, editar un plan existente que tenga un repositorio de Mercurial no enlazado, crear o editar un plan en el que haya al menos un repositorio de Mercurial enlazado para el que el atacante tenga permiso de utilizaci\u00f3n, o commit con ID en un repositorio de Mercurial empleado por un plan Bamboo con la detecci\u00f3n de ramas habilitada puede ejecutar el c\u00f3digo que elija en sistemas que ejecuten una versi\u00f3n vulnerable de Bamboo Server. Las versiones de Bamboo que comienzan por 2.7.0 anteriores a la 6.1.6 (la versi\u00f3n corregida para 6.1.x) y desde la 6.2.0 anteriores a la 6.2.5 (la versi\u00f3n corregida para 6.2.x) se han visto afectadas por esta vulnerabilidad."
}
],
"id": "CVE-2017-14590",
"lastModified": "2024-11-21T03:13:09.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-13T15:29:00.297",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"source": "security@atlassian.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18843"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19664 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19664 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E848FD-F297-4BA3-A186-F1C8494373CA",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso saveConfigureSecurity en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen las opciones de seguridad mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-18080",
"lastModified": "2024-11-21T03:19:19.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:01.047",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19664"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-28 02:15
Modified
2024-11-21 05:55
Severity ?
Summary
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-21215 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-21215 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC678268-C957-400D-A333-180253DD2FA4",
"versionEndExcluding": "7.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2."
},
{
"lang": "es",
"value": "Las versiones afectadas de Atlassian Bamboo permiten a un atacante remoto no autenticado visualizar un seguimiento de la pila que puede revelar la ruta del directorio de inicio en el disco y si determinados archivos existen en el directorio tmp, por medio de una vulnerabilidad de Exposici\u00f3n de Datos Confidenciales en el endpoint /chart.\u0026#xa0;Las versiones afectadas son las anteriores a la versi\u00f3n 7.2.2"
}
],
"id": "CVE-2021-26067",
"lastModified": "2024-11-21T05:55:48.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-28T02:15:12.557",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21215"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-05-22 15:55
Modified
2024-11-21 01:39
Severity ?
Summary
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | bamboo | * | |
| atlassian | bamboo | * | |
| atlassian | confluence | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crowd | * | |
| atlassian | crucible | * | |
| atlassian | crucible | * | |
| atlassian | crucible | * | |
| atlassian | fisheye | * | |
| atlassian | fisheye | * | |
| atlassian | fisheye | * | |
| atlassian | jira | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C1EA6F7-CF4A-43C8-AD67-4A3E97D7B0BC",
"versionEndExcluding": "3.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B53F201-032F-4672-A271-8D424B939775",
"versionEndExcluding": "3.4.5",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4059F4D-831C-467C-91BC-B49BB7A5487E",
"versionEndExcluding": "3.5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9718C5D3-364A-4BD0-B60D-5FCEA8B1BAFF",
"versionEndExcluding": "4.0.7",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "121D6C9B-9746-423C-9A0A-13697F7B490B",
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB8E3563-1CF4-4665-8CD3-CAEFFBB6B3B6",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55437340-1D44-41C7-B82A-6E6473C17B62",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68C5F90D-1AB3-409E-9A84-8EF42735BCD9",
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C99026A0-1B4A-4CF7-B7E5-DC1231302CEC",
"versionEndExcluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28E820F2-4E46-4744-9EE9-C9CDEF78B8D7",
"versionEndExcluding": "2.4.1",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD4C65C4-2C22-48F2-B4F6-D40915374FF1",
"versionEndExcluding": "2.5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "263668EC-0168-4FC2-82E3-6606269AE372",
"versionEndExcluding": "2.6.8",
"versionStartIncluding": "2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B62B11D8-BC78-431B-91D4-F6CE14E0C7D0",
"versionEndExcluding": "2.7.12",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B117D3-9D05-4192-9A40-B4610D636DE7",
"versionEndExcluding": "2.5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3768A3A7-B5F8-46C7-A932-1C779C167216",
"versionEndExcluding": "2.6.8",
"versionStartIncluding": "2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4779A8F0-9CDB-46F7-9EB6-B155187218EB",
"versionEndExcluding": "2.7.12",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20F692D8-2A86-403D-82C6-363C9798BD3A",
"versionEndExcluding": "5.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors."
},
{
"lang": "es",
"value": "Atlassian JIRA antes de v5.0.1; Confluence antes de v3.5.16, v4.0 antes de v4.0.7, y v4.1 antes del v4.1.10; \u0027FishEye and Crucible\u0027 antes de v2.5.8, v2.6 antes de v2.6.8, y v2.7 antes de v2.7.12; Bamboo antes de v3.3.4 y v3.4.x antes de v3.4.5, y Crowd antes de v2.0.9, v2.1 antes de v2.1.2, v2.2 antes de v2.2.9, v2.3 antes de v2.3.7 y v2.4 antes de v2.4.1 no restringen correctamente las capacidades de los analizadores XML de de terceros, lo que permite leer ficheros de su elecci\u00f3n o causar una denegaci\u00f3n de servicio (por excesivo consumo de recursos) a atacantes remotos a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-2926",
"lastModified": "2024-11-21T01:39:57.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2012-05-22T15:55:02.853",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/49146"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/81993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/49146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75697"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-03 01:29
Modified
2024-11-21 02:35
Severity ?
Summary
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/536747/100/0/threaded | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://confluence.atlassian.com/x/Hw7RLg | Vendor Advisory | |
| cve@mitre.org | https://jira.atlassian.com/browse/BAM-16439 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/536747/100/0/threaded | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/x/Hw7RLg | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-16439 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E89422DD-784F-4FCA-BD0E-78C707620E37",
"versionEndExcluding": "5.8.5",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C913313-26B3-4854-964B-B091B74CC66E",
"versionEndExcluding": "5.9.7",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource."
},
{
"lang": "es",
"value": "Bamboo 2 2 en versiones anteriores a la 5 8 5 y en versiones 5 9 x anteriores a la 5 9 7 permite que los atacantes remotos con acceso a la interfaz web de Bamboo ejecuten c\u00f3digo Java mediante un recurso no especificado."
}
],
"id": "CVE-2015-6576",
"lastModified": "2024-11-21T02:35:14.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:00.607",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/536747/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/Hw7RLg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-16439"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-12 13:29
Modified
2024-11-21 03:36
Severity ?
Summary
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/101269 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/101269 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DACC3EE-5898-457C-B9FE-DCBA2634DE4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "67BEBCA5-8704-4557-8119-AF4C0799394E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "451870E0-326D-424F-86E9-B04A177B7D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "79E39376-B888-40C9-9DC6-036D5C573823",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "09F1CF26-C2CA-4BEB-B3E1-45B280FE4F9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "374EF21B-238E-4173-AABB-771B4CC636B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "83D8E6A7-EA13-474B-B7DD-3EC9F05438D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DA5E64B2-EA6A-433A-ACF7-540F8273CFE8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo."
},
{
"lang": "es",
"value": "Bamboo en versiones anteriores a la 6.0.5, 6.1.x anteriores a la 6.1.4 y 6.2.x anteriores a la 6.2.1 ten\u00eda un endpoint REST que analizaba sint\u00e1cticamente un archivo YAML y no restring\u00eda suficientemente qu\u00e9 clases se pod\u00edan cargar. Un atacante que pueda iniciar sesi\u00f3n en Bamboo como un usuario ser\u00eda capaz de explotar esta vulnerabilidad para ejecutar c\u00f3digo Java de su elecci\u00f3n en sistemas que tienen versiones vulnerables de Bamboo."
}
],
"id": "CVE-2017-9514",
"lastModified": "2024-11-21T03:36:18.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-12T13:29:00.200",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101269"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-29 13:29
Modified
2024-11-21 04:08
Severity ?
Summary
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103653 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/x/PS9sO | Mitigation, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19743 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103653 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/x/PS9sO | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19743 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11FF1812-D2C9-4F21-8CC5-5A32645D8A00",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A1254F4-D57B-4580-A886-9AF0360E347D",
"versionEndExcluding": "6.4.1",
"versionStartIncluding": "6.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability."
},
{
"lang": "es",
"value": "Bamboo no comprob\u00f3 correctamente si un URI de repositorio Mercurial configurado conten\u00eda valores que el sistema operativo de Windows podr\u00eda considerar como par\u00e1metros de argumento. Un atacante que tenga permiso para crear un repositorio en Bamboo, editar un plan existente en Bamboo que tenga un repositorio de Mercurial no enlazado o crear un plan en Bamboo de forma global o en un proyecto mediante Bamboo Specs puede ejecutar c\u00f3digo de su elecci\u00f3n en sistemas que ejecutan una versi\u00f3n vulnerable de Bamboo en el sistema operativo de Windows. Todas las versiones de Bamboo que comienzan por 2.7.0 anteriores a la 6.3.3 (la versi\u00f3n corregida para 6.3.x) y desde la 6.4.0 anteriores a la 6.4.1 (la versi\u00f3n corregida para 6.4.x) que se ejecutan en el sistema operativo Windows se han visto afectadas por esta vulnerabilidad."
}
],
"id": "CVE-2018-5224",
"lastModified": "2024-11-21T04:08:22.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-29T13:29:00.350",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"source": "security@atlassian.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103653"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/PS9sO"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19743"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-13 15:29
Modified
2024-11-21 03:13
Severity ?
Summary
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/102188 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-18842 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102188 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-18842 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45F6525F-033C-4BD3-85D4-0770A2177A6D",
"versionEndExcluding": "6.1.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF607C7-BC76-4660-B9F6-C8D56D19BE20",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability."
},
{
"lang": "es",
"value": "Era posible que ocurriese una evaluaci\u00f3n doble de OGNL en las plantillas de FreeMarker con etiquetas Struts FreeMarker. Un atacante que cuente con derechos restringidos de administraci\u00f3n en Bamboo o que aloje un sitio web que visite un administrador de Bamboo es capaz de explotar esta vulnerabilidad para ejecutar el c\u00f3digo Java que elija en sistemas que ejecuten una versi\u00f3n vulnerable de Bamboo. Todas las versiones de Bamboo anteriores a la 6.1.6 (la versi\u00f3n corregida para 6.1.x) y desde la 6.2.0 anteriores a la 6.2.5 (la versi\u00f3n corregida para 6.2.x) se han visto afectadas por esta vulnerabilidad."
}
],
"id": "CVE-2017-14589",
"lastModified": "2024-11-21T03:13:09.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-13T15:29:00.217",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/102188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-18842"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-08-02 16:59
Modified
2024-11-21 02:53
Severity ?
Summary
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F46F9B89-7DCF-4DE1-8EE6-BC25F5E09AE7",
"versionEndIncluding": "5.11.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0FA3E09-85DE-48CA-AEC8-ECC5FAA53A5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B16FA0-4131-4C34-AEC8-69F1336FC496",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E2EBFD-D17C-4539-93D6-5542FC81BD88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization."
},
{
"lang": "es",
"value": "Atlassian Bamboo en versiones anteriores a 5.11.4.1 y 5.12.x en versiones anteriores a 5.12.3.1 no restringe adecuadamente clases deserializadas permitidas, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores relacionados con XStream Serialization."
}
],
"id": "CVE-2016-5229",
"lastModified": "2024-11-21T02:53:53.010",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-08-02T16:59:02.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539003/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92057"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/BAM-17736"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103110 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19663 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103110 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19663 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E848FD-F297-4BA3-A186-F1C8494373CA",
"versionEndExcluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability."
},
{
"lang": "es",
"value": "El recurso de actualizaci\u00f3n de administraci\u00f3n de usuarios en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen los datos de usuario, incluyendo las contrase\u00f1as, mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-18042",
"lastModified": "2024-11-21T03:19:14.000",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.983",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19663"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-20 18:15
Modified
2024-11-21 06:53
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "218C960A-04C6-4242-BEBA-C81CF5F1F722",
"versionEndExcluding": "7.2.10",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E360CDE0-FD1E-4337-8268-DB89CF605EE0",
"versionEndExcluding": "8.0.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0913EE0-2046-4E7E-966D-DC894E34D12B",
"versionEndExcluding": "8.1.8",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D182C1B1-A5FF-4777-9835-4E9114BB68DC",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCD53E4-3169-4E8A-88D1-38BE51D09DD3",
"versionEndExcluding": "7.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B878E40-95A7-40A7-9C52-6BC0C2FD3F54",
"versionEndExcluding": "7.17.8",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46305D5A-7F7B-4A04-9DAD-E582D1193A7E",
"versionEndExcluding": "7.19.5",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A96B135B-9272-457E-A557-6566554262D3",
"versionEndExcluding": "7.20.2",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62956861-BEDE-40C8-B628-C831087E7BDB",
"versionEndExcluding": "7.21.2",
"versionStartIncluding": "7.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7A85565F-3F80-4E00-A706-AB4B2EAA4AFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99E2E3C0-CDF0-4D79-80A6-85E71B947ED9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C543CA6-8E8A-476C-AB27-614DF4EC68A5",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45FD913B-45DE-4CA8-9733-D62F54B19E74",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12E753EB-0D31-448B-B8DE-0A95434CC97C",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE114494-74F0-454C-AAC4-8B8E5F1C67D0",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90BB3572-29ED-415F-AD34-00EB76271F9C",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EF756A-B4E9-4E5D-BE6F-02CE95F12C9C",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A56B6A10-E23F-49EF-8C07-1AEDFCAE2788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8BE634-1599-4790-9410-6CA43BC60C4D",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52E68DFD-48F5-4949-AFEA-3829CA5DFC04",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCDEC6C-4515-4CAA-9D82-7BF68A3AAE7E",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9948F94-DF67-4E3C-8CD4-417D57FBC60F",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30E63ECB-85A8-4D41-A9B5-9FFF18D9CDB1",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "694171BD-FAE2-472C-8183-04BCA2F7B9A7",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC5E81B-DA4B-45E7-9584-4B576E49FD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE028964-B3FC-4883-9967-68DE46EE7F6F",
"versionEndExcluding": "4.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57DC9E2A-4C89-420D-9330-F11E56BF2F83",
"versionEndExcluding": "4.4.2",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C50A718F-C67B-4462-BB7E-F80408DEF07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92329A2E-13E8-4818-85AB-3E7F479411EF",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DDE751-CA88-4CFB-9E60-4243851B4B53",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91B8507-A7A7-4B74-9999-F1DEA9F487A9",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963AE427-2897-42CB-AE11-654D700E690B",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CD8891-BB97-4AD3-BEE4-6CCA0D8A2D85",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E73A5202-6114-48E6-8F9B-C03B2E707055",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22AB11D-1D73-45DC-803C-146EFED18CDA",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2091E9-0B14-4786-852F-454C56D20839",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "1451C219-8AAA-4165-AE2C-033EF7B6F93A",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*",
"matchCriteriaId": "BD23F987-0F14-4938-BB51-4EE61C24EB62",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "39F77953-41D7-4398-9F07-2A057A993762",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "CADBE0E7-36D9-4F6F-BEE6-A1E0B9428C2A",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "DC0DB08B-2034-4691-A7B2-3E5F8B6318B1",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "97A17BE7-7CCC-46D8-A317-53E2B026DF6E",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en diversos productos de Atlassian permite a un atacante remoto no autenticado causar que sean invocados Filtros Servlet adicionales cuando la aplicaci\u00f3n procesa peticiones o respuestas. Atlassian ha confirmado y corregido el \u00fanico problema de seguridad conocido asociado a esta vulnerabilidad: Omisi\u00f3n de recursos de origen cruzado (CORS). El env\u00edo de una petici\u00f3n HTTP especialmente dise\u00f1ada puede invocar el filtro Servlet usado para responder a las peticiones CORS, resultando en una omisi\u00f3n de CORS. Un atacante que pueda enga\u00f1ar a un usuario para que solicite una URL maliciosa puede acceder a la aplicaci\u00f3n vulnerable con los permisos de la v\u00edctima. Est\u00e1n afectadas las versiones de Atlassian Bamboo anteriores a 8.0.9, desde la 8.1.0 anteriores a 8.1.8 y de la 8.2.0 anteriores a 8.2.4. Las versiones de Atlassian Bitbucket est\u00e1n afectadas anteriores a 7.6.16, desde la 7.7.0 anteriores a 7.17.8, desde la 7.18.0 anteriores a 7.19.5, desde la 7.20.0 anteriores a 7.20.2, desde la 7.21.0 anteriores a 7.21.2, y las versiones 8.0.0 y 8.1.0. Est\u00e1n afectadas las versiones de Atlassian Confluence anteriores a 7.4.17, desde la 7.5.0 anteriores a 7.13.7, desde la 7.14.0 anteriores a 7.14.3, desde la 7.15.0 anteriores a 7.15.2, desde la 7.16.0 anteriores a 7.16.4, desde la 7.17.0 anteriores a 7.17.4 y la versi\u00f3n 7.21.0. Est\u00e1n afectadas las versiones de Atlassian Crowd anteriores a 4.3.8, desde la 4.4.0 hasta 4.4.2, y la versi\u00f3n 5.0.0. Est\u00e1n afectadas las versiones de Atlassian Fisheye y Crucible anteriores a 4.8.10. Est\u00e1n afectadas las versiones de Atlassian Jira anteriores a 8.13.22, desde la 8.14.0 hasta 8.20.10, y desde la 8.21.0 hasta 8.22.4. Las versiones de Atlassian Jira Service Management est\u00e1n afectadas anteriores a 4.13.22, desde la 4.14.0 anteriores a 4.20.10, y desde la 4.21.0 anteriores a 4.22.4"
}
],
"id": "CVE-2022-26137",
"lastModified": "2024-11-21T06:53:30.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-20T18:15:08.557",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-180"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-02 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@atlassian.com | http://www.securityfocus.com/bid/103070 | Third Party Advisory, VDB Entry | |
| security@atlassian.com | https://jira.atlassian.com/browse/BAM-19661 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/103070 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BAM-19661 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44C21470-8C72-47DC-AA27-6E952CFCC2F7",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release."
},
{
"lang": "es",
"value": "El recurso viewDeploymentVersionCommits en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versi\u00f3n."
}
],
"id": "CVE-2017-18040",
"lastModified": "2024-11-21T03:19:13.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-02T14:29:00.873",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103070"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-19661"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
var-201703-0755
Vulnerability from variot
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. Apache Struts2 Contains a vulnerability that allows the execution of arbitrary code. Apache Struts2 In Jakarta Multipart parser A vulnerability exists in the execution of arbitrary code that could allow the execution of arbitrary code. The attack code for this vulnerability has been released.By processing a request crafted by a remote third party, arbitrary code could be executed with the privileges of the application. Apache Struts is prone to a remote code-execution vulnerability. Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03723en_us
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: hpesbhf03723en_us Version: 1
HPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts, Remote Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2017-03-29 Last Updated: 2017-03-29
Potential Security Impact: Remote: Code Execution
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE Aruba ClearPass Policy Manager.
Note: The ClearPass Policy Manager administrative Web interface is affected by the vulnerability. ClearPass Guest, Insight, and Graphite are NOT impacted.
References:
- CVE-2017-5638 - Apache Struts, remote code execution
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- Aruba ClearPass Policy Manager All versions prior to 6.6.5
BACKGROUND
CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2017-5638
9.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
RESOLUTION
HPE Aruba has provided hotfixes for ClearPass 6.6.5, 6.6.4, and 6.5.7. Use one of the following methods to install the appropriate hotfix:
Install the Hotfix Online Using the Software Updates Portal:
-
Open ClearPass Policy Manager and go to Administration - Agents and Software Updates - Software Updates.
-
In the Firmware and Patch Updates area, find the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch and click the Download button in its row.
-
Click Install.
-
When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change.
Installing the hotfix Offline Using the Patch File from support.arubanetworks.com:
-
Download the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch from the Support site.
-
Open the ClearPass Policy Manager Admin UI and go to Administration - Agents and Software Updates - Software Updates.
-
At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded patch file. The name and description once imported may differ from the name and remark on the support site as these were adjusted after posting. This is purely a cosmetic discrepancy.
-
Click Install.
-
When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change.
Workarounds
Restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration - Server Manager - Server Configuration - Server-Name - Network - Restrict Access and only allowing non-public or network management networks.
Note: Please contact HPE Technical Support if any assistance is needed acquiring the software updates.
HISTORY Version:1 (rev.1) - 29 March 2017 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBCAAGBQJY3BR/AAoJELXhAxt7SZaiMW8H/0+jWL4Evk+KeqP7aYk1msGp 9ih3F2680VrHVsUbSzul3+svnaWTJUgRe7fUTvsh/Q6bx/Eo86yo8iXGjmzETLtY cTuQrHLySo55Pwua9+89V4e13QkRvQ/UmQPYDMPEk9L7wwU9OF0oCpXHQBuWnw07 mKLZ12HaZqM8vJXgwgJFH77Mf3r5TkGFHsrZ0M+2vvxioJIEfmWV/x4eqtvIy6zS C6CX1M9x4xD442XcFfnH0BHA9RL6LOeYngTPYR7IIycvzpqd8kOWunjs38+IJpFR g49ho/NddeZfDKdJcIdfJ+0f3x2h7FPiVadXu1PzdCckhFHkHmrSlVcRbQZ+1R8= =8ljI -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201703-0755",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "struts",
"scope": "eq",
"trust": 1.9,
"vendor": "apache",
"version": "2.3.30"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.9,
"vendor": "apache",
"version": "2.5.8"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.9,
"vendor": "apache",
"version": "2.5.7"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.9,
"vendor": "apache",
"version": "2.5.5"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.9,
"vendor": "apache",
"version": "2.5.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.9,
"vendor": "apache",
"version": "2.5.10"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.5.4"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.5.3"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.5.6"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.5.9"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.31"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.28"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.24"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.5"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.5.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.5"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.8"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.7"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.29"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.20"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.16"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.15"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.14"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.3,
"vendor": "apache",
"version": "2.3.12"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.15.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.15.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.14.3"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.19"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.21"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.20.3"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.17"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.14.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.28.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.24.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.16.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.24.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.26"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.16.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.13"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.6"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.14.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.9"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.23"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.22"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.20.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.16.3"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.25"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.10"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.20.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.24.3"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.11"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.15.3"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.3.27"
},
{
"model": "struts",
"scope": "lte",
"trust": 0.8,
"vendor": "apache",
"version": "2.3.5 from 2.3.31"
},
{
"model": "struts",
"scope": "lte",
"trust": 0.8,
"vendor": "apache",
"version": "2.5 from 2.5.10"
},
{
"model": "esmpro/servermanager",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "6.10 to 6.16"
},
{
"model": "infoframe relational store",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": null
},
{
"model": "istorage",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "hs series 5.0.5"
},
{
"model": "staroffice x",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "enterprise v4.0"
},
{
"model": "staroffice x",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "enterprise v5.0"
},
{
"model": "staroffice x",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "enterprise v5.1"
},
{
"model": "staroffice x",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "standard v4.0"
},
{
"model": "staroffice x",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "standard v5.0"
},
{
"model": "staroffice x",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "standard v5.1"
},
{
"model": "webotx developer",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "\"(with developers studio) v9.3\""
},
{
"model": "webotx developer",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "\"(with developers studio) v9.4\""
},
{
"model": "hirdb",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "server version 9"
},
{
"model": "hirdb control manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- server version 9"
},
{
"model": "vrealize operations manager",
"scope": "eq",
"trust": 0.3,
"vendor": "vmware",
"version": "6.0"
},
{
"model": "vrealize hyperic",
"scope": "eq",
"trust": 0.3,
"vendor": "vmware",
"version": "5.0"
},
{
"model": "vcenter server",
"scope": "eq",
"trust": 0.3,
"vendor": "vmware",
"version": "6.5"
},
{
"model": "vcenter server",
"scope": "eq",
"trust": 0.3,
"vendor": "vmware",
"version": "6.0"
},
{
"model": "horizon desktop as-a-service platform",
"scope": "eq",
"trust": 0.3,
"vendor": "vmware",
"version": "7.0"
},
{
"model": "horizon desktop as-a-service platform",
"scope": "eq",
"trust": 0.3,
"vendor": "vmware",
"version": "6.0"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "11.1.18.0"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "12.2.1.2.0"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "12.2.1.1.0"
},
{
"model": "webcenter sites",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "12.2.1.0.0"
},
{
"model": "sterling selling and fulfillment foundation",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.5"
},
{
"model": "sterling selling and fulfillment foundation",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.4"
},
{
"model": "sterling selling and fulfillment foundation",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.2.1"
},
{
"model": "sterling selling and fulfillment foundation",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.2"
},
{
"model": "sterling selling and fulfillment foundation",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.1"
},
{
"model": "sterling selling and fulfillment foundation",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.3.0"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.5"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.0"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.0"
},
{
"model": "smsgw v100r003c01",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "smsgw v100r002c11",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "smsgw v100r002c01",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "secospace antiddos8030 v100r001c00",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "imanager neteco v600r007c91",
"scope": "eq",
"trust": 0.3,
"vendor": "huawei",
"version": "6000"
},
{
"model": "imanager neteco v600r007c90",
"scope": "eq",
"trust": 0.3,
"vendor": "huawei",
"version": "6000"
},
{
"model": "imanager neteco v600r007c80",
"scope": "eq",
"trust": 0.3,
"vendor": "huawei",
"version": "6000"
},
{
"model": "imanager neteco v600r008c20",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "imanager neteco v600r008c10",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "imanager neteco v600r008c00",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "imanager neteco v600r007c60spc100",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "imanager neteco v600r007c50",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "imanager neteco v600r007c11",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "espace ecs v300r001c00",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "espace ecs v200r003c10",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "espace ecs v200r003c00",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "espace ecs v200r002c00",
"scope": null,
"trust": 0.3,
"vendor": "huawei",
"version": null
},
{
"model": "universal cmdb foundation software cup5",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.22"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.16"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.15"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.14"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.13"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.12"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.10"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.1"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.50"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.20"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.10"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.02"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.01"
},
{
"model": "server automation",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.00"
},
{
"model": "virtualized voice browser",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unity connection",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified sip proxy software",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified intelligent contact management enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified intelligence center",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified contact center express",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified contact center enterprise live data server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "-0"
},
{
"model": "unified contact center enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified communications manager session management edition",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified communications manager im \u0026 presence service",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "unified communications manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "socialminer",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "prime service catalog appliance and virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "prime license manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "packaged contact center enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "mediasense",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "identity services engine",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "hosted collaboration solution for contact center",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "hosted collaboration mediation fulfillment",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "finesse",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "emergency responder",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "hipchat server",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.0"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.11"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.10.1"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9.5"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9.4"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9.3"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9.2"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9.1"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.8.8"
},
{
"model": "crowd",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.8.3"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.15"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.12"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.11"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.10"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.1"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.12.3.1"
},
{
"model": "bamboo",
"scope": "eq",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.11.4.1"
},
{
"model": "vcenter server 6.5b",
"scope": "ne",
"trust": 0.3,
"vendor": "vmware",
"version": null
},
{
"model": "sterling selling and fulfillment foundation 9.5.0-sfp2",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "sterling selling and fulfillment foundation 9.4.0-sfp3",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "sterling selling and fulfillment foundation 9.3.0-sfp5",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "sterling selling and fulfillment foundation sfp6",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.2.1-"
},
{
"model": "sterling selling and fulfillment foundation sfp6",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.2.0-"
},
{
"model": "sterling selling and fulfillment foundation sfp6",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.1.0-"
},
{
"model": "virtualized voice browser su1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5"
},
{
"model": "unity connection",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "12.0"
},
{
"model": "unity connection",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5"
},
{
"model": "unity connection",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.0"
},
{
"model": "unified sip proxy software",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.1"
},
{
"model": "unified intelligent contact management enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5(1)"
},
{
"model": "unified intelligent contact management enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.0(2)"
},
{
"model": "unified intelligent contact management enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.5(3)"
},
{
"model": "unified intelligent contact management enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.0(2)"
},
{
"model": "unified intelligence center es03",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5(1)"
},
{
"model": "unified contact center express su1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5"
},
{
"model": "unified contact center enterprise live data server",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "-11.5(1)"
},
{
"model": "unified contact center enterprise live data server",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "-11.0(2)"
},
{
"model": "unified contact center enterprise live data server",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "-10.5(3)"
},
{
"model": "unified contact center enterprise live data server",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "-10.0(2)"
},
{
"model": "unified contact center enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5(1)"
},
{
"model": "unified contact center enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.0(2)"
},
{
"model": "unified contact center enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.5(3)"
},
{
"model": "unified contact center enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.0(2)"
},
{
"model": "socialminer su1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5"
},
{
"model": "prime license manager 11.5 su1a",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "mediasense",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5"
},
{
"model": "hosted collaboration solution for contact center",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5(1)"
},
{
"model": "hosted collaboration solution for contact center",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.0(2)"
},
{
"model": "hosted collaboration solution for contact center",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.5(3)"
},
{
"model": "hosted collaboration solution for contact center",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "10.0(2)"
},
{
"model": "finesse es2",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "11.5"
},
{
"model": "hipchat server",
"scope": "ne",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.2.2"
},
{
"model": "crowd",
"scope": "ne",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.11.1"
},
{
"model": "crowd",
"scope": "ne",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.10.3"
},
{
"model": "crowd",
"scope": "ne",
"trust": 0.3,
"vendor": "atlassian",
"version": "2.9.7"
},
{
"model": "bamboo",
"scope": "ne",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.15.3"
},
{
"model": "bamboo",
"scope": "ne",
"trust": 0.3,
"vendor": "atlassian",
"version": "5.14.5"
},
{
"model": "struts",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.5.10.1"
},
{
"model": "struts",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.3.32"
}
],
"sources": [
{
"db": "BID",
"id": "96729"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nike Zheng",
"sources": [
{
"db": "BID",
"id": "96729"
}
],
"trust": 0.3
},
"cve": "CVE-2017-5638",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2017-5638",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-5638",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-5638",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201703-152",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2017-5638",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. Apache Struts2 Contains a vulnerability that allows the execution of arbitrary code. Apache Struts2 In Jakarta Multipart parser A vulnerability exists in the execution of arbitrary code that could allow the execution of arbitrary code. The attack code for this vulnerability has been released.By processing a request crafted by a remote third party, arbitrary code could be executed with the privileges of the application. Apache Struts is prone to a remote code-execution vulnerability. \nApache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03723en_us\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: hpesbhf03723en_us\nVersion: 1\n\nHPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts,\nRemote Code Execution\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2017-03-29\nLast Updated: 2017-03-29\n\nPotential Security Impact: Remote: Code Execution\n\nSource: Hewlett Packard Enterprise, Product Security Response Team\n\nVULNERABILITY SUMMARY\nA potential security vulnerability has been identified in HPE Aruba ClearPass\nPolicy Manager. \n\n**Note:** The ClearPass Policy Manager administrative Web interface is\naffected by the vulnerability. ClearPass Guest, Insight, and Graphite are NOT\nimpacted. \n\nReferences:\n\n - CVE-2017-5638 - Apache Struts, remote code execution\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\n - Aruba ClearPass Policy Manager All versions prior to 6.6.5\n\nBACKGROUND\n\n CVSS Base Metrics\n =================\n Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector\n\n CVE-2017-5638\n 9.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\n 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P)\n\n Information on CVSS is documented in\n HPE Customer Notice HPSN-2008-002 here:\n\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499\n\nRESOLUTION\n\nHPE Aruba has provided hotfixes for ClearPass 6.6.5, 6.6.4, and 6.5.7. Use\none of the following methods to install the appropriate hotfix:\n\nInstall the Hotfix Online Using the Software Updates Portal:\n \n 1. Open ClearPass Policy Manager and go to Administration - Agents and\nSoftware\n Updates - Software Updates. \n \n 2. In the Firmware and Patch Updates area, find the \"ClearPass 6.5.7\nHotfix\n Patch for CVE-2017-5638\" or \"ClearPass 6.6.4 Hotfix Patch for\nCVE-2017-5638\"\n patch and click the Download button in its row. \n \n 3. Click Install. \n \n 4. When the installation is complete and the status is shown as \"Needs\n Restart\", proceed to restart ClearPass. After reboot, the status for the\n patch will be shown as Installed. The ClearPass Policy Manager version\n number will not change. \n\n \nInstalling the hotfix Offline Using the Patch File from\nsupport.arubanetworks.com:\n \n 1. Download the \"ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638\" or\n \"ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638\" patch from the Support\nsite. \n \n 2. Open the ClearPass Policy Manager Admin UI and go to Administration -\n Agents and Software Updates - Software Updates. \n 3. At the bottom of the Firmware and Patch Updates area, click Import\nUpdates\n and browse to the downloaded patch file. The name and description once\n imported may differ from the name and remark on the support site\n as these were adjusted after posting. This is purely a cosmetic\ndiscrepancy. \n \n 4. Click Install. \n \n 5. When the installation is complete and the status is shown as Needs\nRestart,\n proceed to restart ClearPass. After reboot, the status for the patch will\n be shown as Installed. The ClearPass Policy Manager version number will\n not change. \n\n\nWorkarounds\n- ----------- \nRestrict access to the Policy Manager Admin Web Interface. This can be\naccomplished by navigating to Administration - Server Manager -\nServer Configuration - Server-Name - Network - Restrict Access and\nonly allowing non-public or network management networks. \n\n**Note:** Please contact HPE Technical Support if any assistance is needed\nacquiring the software updates. \n\nHISTORY\nVersion:1 (rev.1) - 29 March 2017 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer\u0027s patch management\npolicy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HPE Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hpe.com. \n\nReport: To report a potential security vulnerability for any HPE supported\nproduct:\n Web form: https://www.hpe.com/info/report-security-vulnerability\n Email: security-alert@hpe.com\n\nSubscribe: To initiate a subscription to receive future HPE Security Bulletin\nalerts via Email: http://www.hpe.com/support/Subscriber_Choice\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here: http://www.hpe.com/support/Security_Bulletin_Archive\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HPE General Software\nHF = HPE Hardware and Firmware\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPV = ProCurve\nST = Storage Software\nUX = HP-UX\n\nCopyright 2016 Hewlett Packard Enterprise\n\nHewlett Packard Enterprise shall not be liable for technical or editorial\nerrors or omissions contained herein. The information provided is provided\n\"as is\" without warranty of any kind. To the extent permitted by law, neither\nHP or its affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. Hewlett\nPackard Enterprise and the names of Hewlett Packard Enterprise products\nreferenced herein are trademarks of Hewlett Packard Enterprise in the United\nStates and other countries. Other product and company names mentioned herein\nmay be trademarks of their respective owners. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQEcBAEBCAAGBQJY3BR/AAoJELXhAxt7SZaiMW8H/0+jWL4Evk+KeqP7aYk1msGp\n9ih3F2680VrHVsUbSzul3+svnaWTJUgRe7fUTvsh/Q6bx/Eo86yo8iXGjmzETLtY\ncTuQrHLySo55Pwua9+89V4e13QkRvQ/UmQPYDMPEk9L7wwU9OF0oCpXHQBuWnw07\nmKLZ12HaZqM8vJXgwgJFH77Mf3r5TkGFHsrZ0M+2vvxioJIEfmWV/x4eqtvIy6zS\nC6CX1M9x4xD442XcFfnH0BHA9RL6LOeYngTPYR7IIycvzpqd8kOWunjs38+IJpFR\ng49ho/NddeZfDKdJcIdfJ+0f3x2h7FPiVadXu1PzdCckhFHkHmrSlVcRbQZ+1R8=\n=8ljI\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-5638"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "BID",
"id": "96729"
},
{
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"db": "PACKETSTORM",
"id": "142055"
},
{
"db": "PACKETSTORM",
"id": "141863"
}
],
"trust": 2.16
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=41570",
"trust": 0.2,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-5638"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-5638",
"trust": 3.0
},
{
"db": "CERT/CC",
"id": "VU#834067",
"trust": 2.7
},
{
"db": "BID",
"id": "96729",
"trust": 1.9
},
{
"db": "EXPLOIT-DB",
"id": "41614",
"trust": 1.6
},
{
"db": "EXPLOIT-DB",
"id": "41570",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1037973",
"trust": 1.6
},
{
"db": "LENOVO",
"id": "LEN-14200",
"trust": 1.6
},
{
"db": "PACKETSTORM",
"id": "141494",
"trust": 1.6
},
{
"db": "JVN",
"id": "JVNVU93610402",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-5638",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "142055",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "141863",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"db": "BID",
"id": "96729"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "PACKETSTORM",
"id": "142055"
},
{
"db": "PACKETSTORM",
"id": "141863"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"id": "VAR-201703-0755",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.5
},
"last_update_date": "2024-04-19T23:01:51.687000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "WW-3025",
"trust": 0.8,
"url": "https://issues.apache.org/jira/browse/ww-3025"
},
{
"title": "Alternate Libraries",
"trust": 0.8,
"url": "https://cwiki.apache.org/confluence/display/ww/file+upload#fileupload-alternatelibraries"
},
{
"title": "S2-045: Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.",
"trust": 0.8,
"url": "https://struts.apache.org/docs/s2-045.html"
},
{
"title": "Uses default error key if specified key doesn\u0027t exist (3523064)",
"trust": 0.8,
"url": "https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a"
},
{
"title": "Uses default error key if specified key doesn\u0027t exist (6b8272c)",
"trust": 0.8,
"url": "https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228"
},
{
"title": "Content-Type: Malicious - New Apache Struts2 0-day Under Attack",
"trust": 0.8,
"url": "http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"
},
{
"title": "hitachi-sec-2017-110",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-110/index.html"
},
{
"title": "NV17-013",
"trust": 0.8,
"url": "http://jpn.nec.com/security-info/secinfo/nv17-013.html"
},
{
"title": "hitachi-sec-2017-110",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/prod/comp/soft1/security/info/vuls/hitachi-sec-2017-110/index.html"
},
{
"title": "Veritas NetBackup: \u4efb\u610f\u306e\u30b3\u30de\u30f3\u30c9\u304c\u5b9f\u884c\u3055\u308c\u308b\u8106\u5f31\u6027(CVE-2017-5638) (2017\u5e749\u67081\u65e5)",
"trust": 0.8,
"url": "http://www.fujitsu.com/jp/products/software/resources/condition/security/products-fujitsu/solution/veritas201712.html"
},
{
"title": "Apache Struts 2 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=67948"
},
{
"title": "Cisco: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-20170310-struts2"
},
{
"title": "CVE-2017-5638",
"trust": 0.1,
"url": "https://github.com/readloud/cve-2017-5638 "
},
{
"title": "cve-2017-5638",
"trust": 0.1,
"url": "https://github.com/jrrdev/cve-2017-5638 "
},
{
"title": "apache-struts-v2-CVE-2017-5638",
"trust": 0.1,
"url": "https://github.com/cafnet/apache-struts-v2-cve-2017-5638 "
},
{
"title": "struts-vulnerability-demo",
"trust": 0.1,
"url": "https://github.com/corpbob/struts-vulnerability-demo "
},
{
"title": "struts2_cve-2017-5638",
"trust": 0.1,
"url": "https://github.com/m3ssap0/struts2_cve-2017-5638 "
},
{
"title": "struts-rce-cve-2017-5638",
"trust": 0.1,
"url": "https://github.com/riyazwalikar/struts-rce-cve-2017-5638 "
},
{
"title": "equifax-data-breach",
"trust": 0.1,
"url": "https://github.com/raul23/equifax-data-breach "
},
{
"title": "CVE-2017-5638",
"trust": 0.1,
"url": "https://github.com/colorblindpentester/cve-2017-5638 "
},
{
"title": "struts2-rce",
"trust": 0.1,
"url": "https://github.com/sotudeko/struts2-rce "
},
{
"title": "vuln-struts2-vm",
"trust": 0.1,
"url": "https://github.com/evolvesecurity/vuln-struts2-vm "
},
{
"title": "Apache-Struts-2-CVE-2017-5638-Exploit",
"trust": 0.1,
"url": "https://github.com/dock0d1/apache-struts-2-cve-2017-5638-exploit "
},
{
"title": "struts2-rce",
"trust": 0.1,
"url": "https://github.com/rjd3/struts2-rce "
},
{
"title": "Struts2-045-RCE",
"trust": 0.1,
"url": "https://github.com/rayscri/struts2-045-rce "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.7,
"url": "https://www.kb.cert.org/vuls/id/834067"
},
{
"trust": 1.9,
"url": "https://github.com/rapid7/metasploit-framework/issues/8064"
},
{
"trust": 1.9,
"url": "https://cwiki.apache.org/confluence/display/ww/s2-045"
},
{
"trust": 1.6,
"url": "http://www.arubanetworks.com/assets/alert/aruba-psa-2017-002.txt"
},
{
"trust": 1.6,
"url": "https://cwiki.apache.org/confluence/display/ww/s2-046"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/96729"
},
{
"trust": 1.6,
"url": "https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/"
},
{
"trust": 1.6,
"url": "https://www.symantec.com/security-center/network-protection-security-advisories/sa145"
},
{
"trust": 1.6,
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/"
},
{
"trust": 1.6,
"url": "https://exploit-db.com/exploits/41570"
},
{
"trust": 1.6,
"url": "https://packetstormsecurity.com/files/141494/s2-45-poc.py.txt"
},
{
"trust": 1.6,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"trust": 1.6,
"url": "https://github.com/mazen160/struts-pwn"
},
{
"trust": 1.6,
"url": "https://support.lenovo.com/us/en/product_security/len-14200"
},
{
"trust": 1.6,
"url": "https://struts.apache.org/docs/s2-046.html"
},
{
"trust": 1.6,
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbgn03733en_us"
},
{
"trust": 1.6,
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbhf03723en_us"
},
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20170310-0001/"
},
{
"trust": 1.6,
"url": "https://twitter.com/theog150/status/841146956135124993"
},
{
"trust": 1.6,
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbgn03749en_us"
},
{
"trust": 1.6,
"url": "https://www.exploit-db.com/exploits/41614/"
},
{
"trust": 1.6,
"url": "https://struts.apache.org/docs/s2-045.html"
},
{
"trust": 1.6,
"url": "http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html"
},
{
"trust": 1.6,
"url": "http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id/1037973"
},
{
"trust": 1.6,
"url": "https://isc.sans.edu/diary/22169"
},
{
"trust": 1.6,
"url": "https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/"
},
{
"trust": 1.0,
"url": "https://git1-us-west.apache.org/repos/asf?p=struts.git%3ba=commit%3bh=352306493971e7d5a756d61780d57a76eb1f519a"
},
{
"trust": 1.0,
"url": "https://git1-us-west.apache.org/repos/asf?p=struts.git%3ba=commit%3bh=6b8272ce47160036ed120a48345d9aa884477228"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3cannounce.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3cannounce.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3cannounce.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5638"
},
{
"trust": 0.8,
"url": "https://www.ipa.go.jp/security/ciadr/vul/20170308-struts.html"
},
{
"trust": 0.8,
"url": "https://www.jpcert.or.jp/at/2017/at170009.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu93610402/index.html"
},
{
"trust": 0.8,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-5638"
},
{
"trust": 0.6,
"url": "https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3cannounce.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3cannounce.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3cannounce.apache.org%3e"
},
{
"trust": 0.6,
"url": "http-vuln-cve2017-5638.html"
},
{
"trust": 0.6,
"url": "https://nmap.org/nsedoc/scripts/"
},
{
"trust": 0.6,
"url": "https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a"
},
{
"trust": 0.6,
"url": "https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170316-01-struts2-cn"
},
{
"trust": 0.4,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-hpesbgn03733en_us"
},
{
"trust": 0.3,
"url": "http://www.apache.org/"
},
{
"trust": 0.3,
"url": "http://struts.apache.org/"
},
{
"trust": 0.3,
"url": "https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-03-10-876857850.html"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430326"
},
{
"trust": 0.3,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170310-struts2"
},
{
"trust": 0.3,
"url": "https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html"
},
{
"trust": 0.3,
"url": "https://confluence.atlassian.com/display/hc/hipchat+server+security+advisory+2017-03-09"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-hpesbgn03749en_us"
},
{
"trust": 0.3,
"url": "http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170313-01-struts2-en"
},
{
"trust": 0.3,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg22000444"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg22001736"
},
{
"trust": 0.3,
"url": "http://www.vmware.com/security/advisories/vmsa-2017-0004.html"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5638"
},
{
"trust": 0.2,
"url": "http://www.hpe.com/support/security_bulletin_archive"
},
{
"trust": 0.2,
"url": "https://www.hpe.com/info/report-security-vulnerability"
},
{
"trust": 0.2,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499"
},
{
"trust": 0.2,
"url": "http://www.hpe.com/support/subscriber_choice"
},
{
"trust": 0.1,
"url": "https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-hpesbhf03723en_us"
}
],
"sources": [
{
"db": "BID",
"id": "96729"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "PACKETSTORM",
"id": "142055"
},
{
"db": "PACKETSTORM",
"id": "141863"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"db": "BID",
"id": "96729"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"db": "PACKETSTORM",
"id": "142055"
},
{
"db": "PACKETSTORM",
"id": "141863"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-03-11T00:00:00",
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"date": "2017-03-06T00:00:00",
"db": "BID",
"id": "96729"
},
{
"date": "2017-03-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"date": "2017-04-07T18:18:00",
"db": "PACKETSTORM",
"id": "142055"
},
{
"date": "2017-03-30T16:04:25",
"db": "PACKETSTORM",
"id": "141863"
},
{
"date": "2017-03-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"date": "2017-03-11T02:59:00.150000",
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2017-5638"
},
{
"date": "2017-05-26T07:00:00",
"db": "BID",
"id": "96729"
},
{
"date": "2017-10-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-001621"
},
{
"date": "2021-02-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201703-152"
},
{
"date": "2023-11-07T02:49:27.957000",
"db": "NVD",
"id": "CVE-2017-5638"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache Struts2 Vulnerable to arbitrary code execution",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-001621"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input Validation Error",
"sources": [
{
"db": "BID",
"id": "96729"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-152"
}
],
"trust": 0.9
}
}