// For flags

CVE-2017-9514

 

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.

Bamboo en versiones anteriores a la 6.0.5, 6.1.x anteriores a la 6.1.4 y 6.2.x anteriores a la 6.2.1 tenía un endpoint REST que analizaba sintácticamente un archivo YAML y no restringía suficientemente qué clases se podían cargar. Un atacante que pueda iniciar sesión en Bamboo como un usuario sería capaz de explotar esta vulnerabilidad para ejecutar código Java de su elección en sistemas que tienen versiones vulnerables de Bamboo.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-06-07 CVE Reserved
  • 2017-10-12 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.0.0
Search vendor "Atlassian" for product "Bamboo" and version "6.0.0"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.0.1
Search vendor "Atlassian" for product "Bamboo" and version "6.0.1"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.0.2
Search vendor "Atlassian" for product "Bamboo" and version "6.0.2"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.0.3
Search vendor "Atlassian" for product "Bamboo" and version "6.0.3"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.0.4
Search vendor "Atlassian" for product "Bamboo" and version "6.0.4"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.1.0
Search vendor "Atlassian" for product "Bamboo" and version "6.1.0"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.1.1
Search vendor "Atlassian" for product "Bamboo" and version "6.1.1"
-
Affected
Atlassian
Search vendor "Atlassian"
Bamboo
Search vendor "Atlassian" for product "Bamboo"
6.2.0
Search vendor "Atlassian" for product "Bamboo" and version "6.2.0"
-
Affected