High Severity File Inclusion 9.0-9.6 Atlassian Bamboo
CVE-2024-21687 Published on July 16, 2024
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program.
Weakness Type
What is a Remote file include Vulnerability?
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
CVE-2024-21687 has been classified to as a Remote file include vulnerability or weakness.
Products Associated with CVE-2024-21687
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21687 are published in Atlassian Bamboo:
Affected Versions
Atlassian Bamboo Data Center:- Version 9.6.0 to 9.6.3 is affected.
- Version 9.5.0 to 9.5.4 is affected.
- Version 9.4.0 to 9.4.4 is affected.
- Version 9.3.0 to 9.3.6 is affected.
- Version 9.2.1 to 9.2.15 is affected.
- Version 9.1.0 to 9.1.3 is affected.
- Version 9.6.4 is unaffected.
- Version 9.2.16 is unaffected.
- Version 9.4.0 to 9.4.4 is affected.
- Version 9.3.0 to 9.3.6 is affected.
- Version 9.2.1 to 9.2.15 is affected.
- Version 9.1.0 to 9.1.3 is affected.
- Version 9.2.16 is unaffected.
- Version 9.6.0 and below 9.6.3 is affected.
- Version 9.5.0 and below 9.5.4 is affected.
- Version 9.4.0 and below 9.4.4 is affected.
- Version 9.3.0 and below 9.3.6 is affected.
- Version 9.2.1 and below 9.2.15 is affected.
- Version 9.1.0 and below 9.1.3 is affected.
- Version 9.4.0 and below 9.4.4 is affected.
- Version 9.3.0 and below 9.3.6 is affected.
- Version 9.2.1 and below 9.2.15 is affected.
- Version 9.1.0 and below 9.1.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.