CVE-2017-8907

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so.  An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent.  By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
atlassianCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
atlassianbamboo
5.0
atlassianbamboo
5.0:beta1
atlassianbamboo
5.0:beta2
atlassianbamboo
5.0:beta3
atlassianbamboo
5.0:rc1
atlassianbamboo
5.0.1
atlassianbamboo
5.1
atlassianbamboo
5.1.1
atlassianbamboo
5.2
atlassianbamboo
5.2.1
atlassianbamboo
5.2.2
atlassianbamboo
5.3
atlassianbamboo
5.4
atlassianbamboo
5.4.1
atlassianbamboo
5.4.2
atlassianbamboo
5.5
atlassianbamboo
5.6
atlassianbamboo
5.6.1
atlassianbamboo
5.6.2
atlassianbamboo
5.7
atlassianbamboo
5.7.1
atlassianbamboo
5.7.2
atlassianbamboo
5.8
atlassianbamboo
5.8.1
atlassianbamboo
5.8.2
atlassianbamboo
5.8.5
atlassianbamboo
5.9
atlassianbamboo
5.9.1
atlassianbamboo
5.9.2
atlassianbamboo
5.9.3
atlassianbamboo
5.9.4
atlassianbamboo
5.9.7
atlassianbamboo
5.11.3
atlassianbamboo
5.12.0
atlassianbamboo
5.12.1
atlassianbamboo
5.12.2
atlassianbamboo
5.12.4
atlassianbamboo
5.12.5
atlassianbamboo
5.13.0
atlassianbamboo
5.13.1
atlassianbamboo
5.13.2
atlassianbamboo
5.14.0
atlassianbamboo
5.14.1
atlassianbamboo
5.14.2
atlassianbamboo
5.14.3
atlassianbamboo
5.14.4.1
atlassianbamboo
5.14.5
atlassianbamboo
5.15.0
atlassianbamboo
5.15.2
atlassianbamboo
5.15.3
atlassianbamboo
5.15.4
atlassianbamboo
5.15.5
atlassianbamboo
6.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/99090
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html
http://www.securityfocus.com/bid/99090
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html