CVE-2017-8907
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/06/2017
Last modified:
20/04/2025
Description
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page