CVE-2017-8907 is a vulnerability in Atlassian Bamboo
Published on June 14, 2017
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo.
Vulnerability Analysis
CVE-2017-8907 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2017-8907 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2017-8907
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2017-8907 are published in Atlassian Bamboo:
Affected Versions
Atlassian Bamboo:- Version 5.0.0 <= version < 5.15.7 is affected.
- Version 6.0.0 <= version < 6.0.1 is affected.
- Version 0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.