CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14590 – Atlassian Bamboo Code Execution / Argument Injection
https://notcve.org/view.php?id=CVE-2017-14590
13 Dec 2017 — Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable v... • http://www.securityfocus.com/bid/102193 •
CVSS: 8.8EPSS: 0%CPEs: 53EXPL: 0CVE-2017-8907 – Bamboo 5.x / 6.x Incorrect Permission Check
https://notcve.org/view.php?id=CVE-2017-8907
14 Jun 2017 — Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code... • http://www.securityfocus.com/bid/99090 • CWE-863: Incorrect Authorization •