Cross-site request forgery in Atlassian Bamboo

Published: 2018-02-08 13:39:30
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-18080
CVSSv3 5.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-352
Exploitation vector Network
Public exploit Not available
Vulnerable software Atlassian Bamboo
Vulnerable software versions Atlassian Bamboo 6.3.0
Vendor URL Atlassian

Security Advisory

1) Cross-site request forgery

Description

The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.

The weakness exists due to improper validation of user-supplied input by the saveConfigureSecurity resource. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

Remediation

Update to version 6.3.1

External links

https://jira.atlassian.com/browse/BAM-19664

Back to List