Vulnerability CVE-2017-18080


Published: 2018-02-02

Description:
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Atlassian
Product: Bamboo 
Version:
5.9.7
5.9.4
5.9.3
5.9.2
5.9.1
5.9
5.8.5
5.8.2
5.8.1
5.8
5.7.2
5.7.1
5.7
5.6.2
5.6.1
5.6
5.5
5.4.2
5.4.1
5.4
5.3
5.2.2
5.2.1
5.2
5.14.5
5.14.4.1
5.14.3
5.14.2
5.14.1
5.14.0
5.13.2
5.13.1
5.13.0
5.12.5
5.12.4
5.12.2
5.12.1
5.12.0
5.11.3
5.1.1
5.1
5.0.1
5.0
4.4.8
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4
4.3.4
4.3.3
4.3.2
4.3.1
4.3
4.2.1
4.2
4.1.2
4.1.1
4.1
4.0.1
4.0
3.4.5
3.4.4
3.4.3
3.4.2
3.4.1
3.4
3.3.4
3.3.3
3.3.2
3.3.1
3.3
3.2.2
3.2
3.1.4
3.1.3
3.1.1
3.1
3.0.3
3.0.2
3.0.1
3.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7
2.6.3
2.6.2
2.6.1
2.6
2.5.5
2.5.3
2.5.2
2.5.1
2.5
2.4.3
2.4.2
2.4.1
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://jira.atlassian.com/browse/BAM-19664

Related CVE
CVE-2017-18101
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attack...
CVE-2017-18100
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.
CVE-2017-18098
The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields.
CVE-2017-18097
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability...
CVE-2018-5224
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bam...
CVE-2018-5223
Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can e...
CVE-2017-18094
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerabili...
CVE-2017-18095
The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability.

Copyright 2018, cxsecurity.com

 

Back to Top