CVE-2017-14589Improper Input Validation in Atlassian Bamboo

CWE-20Improper Input Validation3 documents3 sources
Severity
9.6CRITICALNVD
EPSS
0.3%
top 42.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Atlassian Bamboo
Timeline
PublishedDec 13
Latest updateMay 14

Description

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by thi

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages2 packages

NVDatlassian/bamboo6.2.06.2.5+1
CVEListV5atlassian/bamboobefore 6.1.6 (the fixed version for 6.1.x), from 6.2.0 before 6.2.5 (the fixed version for 6.2.x)+1

🔴Vulnerability Details

2
GHSA
GHSA-5375-qw4c-whr2: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur2022-05-14
CVEList
CVE-2017-14589: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur2017-12-13
CVE-2017-14589 — Improper Input Validation in Atlassian | cvebase