QID 731284
Date Published: 2024-03-21
QID 731284: Atlassian Bamboo Server and Data Center Multiple Vulnerabilities (BAM-25716,BAM-25717)
Atlassian Bamboo is a continuous integration (CI) and deployment server. Bamboo Data Center is a continuous delivery pipeline that offers resilience, reliability, and scalability for teams of any size.
CVE-2024-1597: SQLi (SQL Injection) org.postgresql:postgresql Dependency in Bamboo Data Center and Server
CVE-2024-21634: DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Bamboo Data Center and Server
Affected Bamboo Server and Data Center:
from 9.5.0 to 9.5.1
from 9.4.0 to 9.4.3
from 9.3.0 to 9.3.6
from 9.2.0 to 9.2.11
from 9.1.0 to 9.1.3
from 9.0.0 to 9.0.4
from 8.2.0 to 8.2.9
all before 8.2.0
QID Detection Logic:(Unauthenticated):
QID checks for the vulnerable versions of Atlassian Bamboo via GET login request.
QID Detection Logic:(Windows):
QID checks for the vulnerable versions of Atlassian Bamboo through the registry key.
Note: This is affecting only postgresql and software.amazon.ion:ion-java Dependency in Atlassian Bamboo Server and Data Center. Hence, set as practice.
Successful exploitation of this vulnerability allows unauthenticated attacker to expose assets in your environment.
- BAM-25716 -
jira.atlassian.com/browse/BAM-25716 - BAM-25717 -
jira.atlassian.com/browse/BAM-25717
CVEs related to QID 731284
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| BAM-25716 |
jira.atlassian.com/browse/BAM-25716 |
||
| BAM-25717 |
jira.atlassian.com/browse/BAM-25717 |