Atlassian Bamboo Server 5.9.x < 5.9.9 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9668

Synopsis

The remote Bamboo server is affected by multiple attack vectors.

Description

Versions of Bamboo 5.9.x prior to 5.9.9 are affected by multiple vulnerabilities :

- A flaw is triggered when deserializing user input. This may allow a remote attacker to execute arbitrary code.
- A flaw exists due to the program failing to perform authentication checks before exposing certain services. This may allow a remote attacker to gain access to credential information, modify certain settings, and manage build agents.
- A flaw exists in the 'Smack XMPP' library that is triggered during the handling of the deserialization of messages. This may allow a remote attacker to execute arbitrary code.

Solution

Upgrade to Bamboo 5.9.x version 5.9.9 or later.

See Also

https://jira.atlassian.com/browse/BAM-17099

https://jira.atlassian.com/browse/BAM-17101

https://jira.atlassian.com/browse/BAM-17102

Plugin Details

Severity: High

ID: 9668

Family: CGI

Published: 10/14/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:atlassian:bamboo

Patch Publication Date: 1/20/2016

Vulnerability Publication Date: 1/20/2016

Reference Information

CVE: CVE-2014-9757, CVE-2015-8360, CVE-2015-8361

BID: 83104, 83107, 83111