CVE-2017-8907

CWE-863Incorrect Authorization3 documents3 sources
Severity
8.8HIGH
EPSS
0.4%
top 36.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Atlassian Atlassian BambooAtlassian Bamboo
Timeline
PublishedJun 14
Latest updateMay 13

Description

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this mea

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDatlassian/bamboo49 versions+48
CVEListV5atlassian/atlassian_bamboo5.0.0 <= version < 5.15.7, 6.0.0 <= version < 6.0.1+1

🔴Vulnerability Details

2
GHSA
GHSA-4c52-gf37-2pfp: Atlassian Bamboo 52022-05-13
CVEList
CVE-2017-8907: Atlassian Bamboo 52017-06-14
CVE-2017-8907 (HIGH CVSS 8.8) | Atlassian Bamboo 5.x before 5.15.7 | cvebase.io