-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/PS9sO . CVE ID: * CVE-2018-5224. Product: Bamboo. Affected Bamboo product versions: 2.7.0 <= version < 6.3.3 6.4.0 <= version < 6.4.1 Fixed Bamboo product versions: * for 6.3.x, Bamboo 6.3.3 has been released with a fix for this issue. * for 6.4.x, Bamboo 6.4.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability. Customers who have upgraded Bamboo to version 6.3.3 or 6.4.1 are not affected. Customers who have downloaded and installed Bamboo >= 2.7.0 but less than 6.3.3 (the fixed version for 6.3.x) or who have downloaded and installed Bamboo >= 6.4.0 but less than 6.4.1 (the fixed version for 6.4.x) please upgrade your Bamboo installations immediately to fix this vulnerability. Argument injection through Mercurial repository uri handling on Windows (CVE-2018-5224) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. Versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-19743 . Fix: To address this issue, we've released the following versions containing a fix: * Bamboo version 6.3.3 * Bamboo version 6.4.1 Remediation: Upgrade Bamboo to version 6.4.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 6.3.x and cannot upgrade to 6.4.1, upgrade to version 6.3.3. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJaxYQwFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 Unag/K0P/0rDhyJHC2DaC4y+8GJKOjc+4FA3NNY0C1Fa3JhGouC936njlDxKW9nx vwXL5oxla1RKOGrSZmjJ6gu/HawAw98ATNUm54VSeynUXbWvOhpQC7PJ8fhxQSV1 N4/r4bRirkEuk/hyZBKFfEElvFsCLGO4lmhLTP1luVXDV0lB8i4AAbZPx+1BC8hS POy2wPvJ0H5H/inSN6HIq2FgE3z0lq5Ntb+moQnA/7zJH+5VyzYfSg+FeKYZTCVT lGmho6JVD84f1bpj/CR0SByd5pfu+rZhZj/2afkkjuGdmDolMpE99+zImZj9vTPi l85BZo1YKZkkUxHpErgAZKIevzInQH07pDPpeNMWVfI9w8mrE3TZj/cUHS/V87DE K1oxyz8D4WtqsnsWmSOocmzzan6k7IK7+kFBHqyjSetMGtqfjmzQbXEotWyki9+f g8A4bQKOXz8gPnUBUwJv86k5DBOkb7IsvXiJgEIuMzl4yq/qJmeCTGjOj2hNRg2w nowAAD4YDUbhsC3W3lVU2UaJokQ0Qf5jRgcuJimqDUqR3jrkpzPTuVyXy8rVLHg6 +TpcSlXluRnrEfYNaB4UwSsKW5zPktouROeU1QPhhHkdPt/JmAY/FZKv7Ti95r9o 5fjvbX/zaWhVTxnId2joi7tDsjkLYLd/mI72ycA/pkIIRENlRY6L =hdeb -----END PGP SIGNATURE-----