QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-8907

Back to search

CVE-2017-8907

Published: Jun 14, 2017

Modified: Oct 16, 2024

PUBLISHED

Description

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.

VendorProductVersions

Atlassian

Atlassian Bamboo

affected
5.0.0 <= version < 5.15.7
affected
6.0.0 <= version < 6.0.1

References

99090
vdb-entry
x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now