CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2017-14589

CRITICAL
9.6
CVSS Severity Score
EPSS Score0.0260%
EPSS Percentile5.47th
Published2017年12月13日
Last Modified2026年5月13日

Vulnerability Description

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Affected Platforms (CPE)

📦
Atlassian

Bamboo

< 6.1.6
📦
Atlassian

Bamboo

>= 6.2.0 and < 6.2.5

References & Advisories

🔗 http://www.securityfocus.com/bid/102188
🔗 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html
🔗 https://jira.atlassian.com/browse/BAM-18842
🔗 http://www.securityfocus.com/bid/102188
🔗 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html
🔗 https://jira.atlassian.com/browse/BAM-18842

相關漏洞威脅

CVE-2014-97579.8

The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XM...

CVE-2015-83609.8

An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Jav...

CVE-2021-378439.8

The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is k...

CVE-2016-52299.8

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allow...