CVE-2017-8907

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

Published: Jun 14, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-8907
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
atlassian / bamboo	5.7	5.7.x
atlassian / bamboo	5.14.1	5.14.1.x
atlassian / bamboo	5.2.1	5.2.1.x
atlassian / bamboo	5.4	5.4.x
atlassian / bamboo	5.0-beta1	5.0-beta1.x
atlassian / bamboo	5.2.2	5.2.2.x
atlassian / bamboo	5.13.2	5.13.2.x
atlassian / bamboo	5.4.2	5.4.2.x
atlassian / bamboo	5.6	5.6.x
atlassian / bamboo	5.3	5.3.x
atlassian / bamboo	5.15.0	5.15.0.x
atlassian / bamboo	5.7.2	5.7.2.x
atlassian / bamboo	5.9.2	5.9.2.x
atlassian / bamboo	5.14.2	5.14.2.x
atlassian / bamboo	5.0-beta2	5.0-beta2.x
atlassian / bamboo	5.5	5.5.x
atlassian / bamboo	5.6.1	5.6.1.x
atlassian / bamboo	5.15.3	5.15.3.x
atlassian / bamboo	5.9.3	5.9.3.x
atlassian / bamboo	5.4.1	5.4.1.x
atlassian / bamboo	5.12.4	5.12.4.x
atlassian / bamboo	5.15.2	5.15.2.x
atlassian / bamboo	5.1	5.1.x
atlassian / bamboo	5.12.0	5.12.0.x
atlassian / bamboo	5.7.1	5.7.1.x
atlassian / bamboo	5.14.3	5.14.3.x
atlassian / bamboo	5.13.1	5.13.1.x
atlassian / bamboo	5.9	5.9.x
atlassian / bamboo	5.15.5	5.15.5.x
atlassian / bamboo	5.9.7	5.9.7.x
atlassian / bamboo	5.8	5.8.x
atlassian / bamboo	5.8.2	5.8.2.x
atlassian / bamboo	5.12.2	5.12.2.x
atlassian / bamboo	5.14.5	5.14.5.x
atlassian / bamboo	5.6.2	5.6.2.x
atlassian / bamboo	5.14.0	5.14.0.x
atlassian / bamboo	5.0-beta3	5.0-beta3.x
atlassian / bamboo	5.11.3	5.11.3.x
atlassian / bamboo	5.1.1	5.1.1.x
atlassian / bamboo	5.12.5	5.12.5.x
atlassian / bamboo	5.14.4.1	5.14.4.1.x
atlassian / bamboo	5.13.0	5.13.0.x
atlassian / bamboo	6.0.0	6.0.0.x
atlassian / bamboo	5.9.1	5.9.1.x
atlassian / bamboo	5.0-rc1	5.0-rc1.x
atlassian / bamboo	5.2	5.2.x
atlassian / bamboo	5.0.1	5.0.1.x
atlassian / bamboo	5.8.1	5.8.1.x
atlassian / bamboo	5.8.5	5.8.5.x
atlassian / bamboo	5.12.1	5.12.1.x
atlassian / bamboo	5.0	5.0.x
atlassian / bamboo	5.9.4	5.9.4.x
atlassian / bamboo	5.15.4	5.15.4.x

Vulnerability Database

289,784

CVE-2017-8907