CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18041
https://notcve.org/view.php?id=CVE-2017-18041
02 Feb 2018 — The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. El recurso viewDeploymentVersionJiraIssuesDialog en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versión. • http://www.securityfocus.com/bid/103071 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18042
https://notcve.org/view.php?id=CVE-2017-18042
02 Feb 2018 — The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. El recurso de actualización de administración de usuarios en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen los datos de usuario, incluyendo las contraseñas, mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/103110 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18080
https://notcve.org/view.php?id=CVE-2017-18080
02 Feb 2018 — The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. El recurso saveConfigureSecurity en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen las opciones de seguridad mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF). • https://jira.atlassian.com/browse/BAM-19664 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18081
https://notcve.org/view.php?id=CVE-2017-18081
02 Feb 2018 — The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie. El recurso signupUser en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el valor de la cookie del token csrf. • http://www.securityfocus.com/bid/103087 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18082
https://notcve.org/view.php?id=CVE-2017-18082
02 Feb 2018 — The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. El recurso de ramas de configuración de plan en Atlassian Bamboo, en versiones anteriores a la 6.2.3, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una rama. • https://jira.atlassian.com/browse/BAM-19666 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14589 – Atlassian Bamboo Code Execution / Argument Injection
https://notcve.org/view.php?id=CVE-2017-14589
13 Dec 2017 — It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerabil... • http://www.securityfocus.com/bid/102188 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14590 – Atlassian Bamboo Code Execution / Argument Injection
https://notcve.org/view.php?id=CVE-2017-14590
13 Dec 2017 — Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable v... • http://www.securityfocus.com/bid/102193 •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2017-9514 – Bamboo 6.x Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-9514
12 Oct 2017 — Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo. Bamboo en versiones anteriores a la 6.0.5, 6.1.x anteriores a la 6.1.4 y 6.2.x anteriores a la 6.2.1 tenía un endpoint REST que analizaba sintácticamente un archivo ... • http://www.securityfocus.com/bid/101269 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 53EXPL: 0CVE-2017-8907 – Bamboo 5.x / 6.x Incorrect Permission Check
https://notcve.org/view.php?id=CVE-2017-8907
14 Jun 2017 — Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code... • http://www.securityfocus.com/bid/99090 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 7%CPEs: 4EXPL: 0CVE-2016-5229 – Bamboo Deserialization Issue
https://notcve.org/view.php?id=CVE-2016-5229
26 Jul 2016 — Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization. Atlassian Bamboo en versiones anteriores a 5.11.4.1 y 5.12.x en versiones anteriores a 5.12.3.1 no restringe adecuadamente clases deserializadas permitidas, lo que permite a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con XStream Serialization. This adviso... • http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html • CWE-284: Improper Access Control •