Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
Metrics
Affected Vendors & Products
References
History
Wed, 16 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: atlassian
Published: 2017-06-14T20:00:00
Updated: 2024-10-16T13:45:59.898Z
Reserved: 2017-05-12T00:00:00
Link: CVE-2017-8907
Vulnrichment
Updated: 2024-08-05T16:48:22.661Z
NVD
Status : Modified
Published: 2017-06-14T20:29:00.140
Modified: 2024-11-21T03:34:57.050
Link: CVE-2017-8907
Redhat
No data.