Atlassian Bamboo Server 5.9.x < 5.9.9 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9668

Synopsis

The remote Bamboo server is affected by multiple attack vectors.

Description

Versions of Bamboo 5.9.x prior to 5.9.9 are affected by multiple vulnerabilities :

 - A flaw is triggered when deserializing user input. This may allow a remote attacker to execute arbitrary code.
 - A flaw exists due to the program failing to perform authentication checks before exposing certain services. This may allow a remote attacker to gain access to credential information, modify certain settings, and manage build agents.
 - A flaw exists in the 'Smack XMPP' library that is triggered during the handling of the deserialization of messages. This may allow a remote attacker to execute arbitrary code.

Solution

Upgrade to Bamboo 5.9.x version 5.9.9 or later.

See Also

https://jira.atlassian.com/browse/BAM-17099

https://jira.atlassian.com/browse/BAM-17101

https://jira.atlassian.com/browse/BAM-17102

Plugin Details

Severity: High

ID: 9668

Family: CGI

Published: 2016/10/14

Updated: 2019/03/06

Dependencies: 9652

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:atlassian:bamboo

Patch Publication Date: 2016/01/20

Vulnerability Publication Date: 2016/01/20

Reference Information

CVE: CVE-2014-9757, CVE-2015-8360, CVE-2015-8361

BID: 83104, 83107, 83111