Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
Published 2017-12-13 15:29:00
Updated 2019-10-03 00:03:26
Source Atlassian
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2017-14590

Exploit prediction scoring system (EPSS) score for CVE-2017-14590

0.24%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-14590

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.0
HIGH AV:N/AC:L/Au:S/C:C/I:C/A:C
8.0
10.0
NIST
9.1
CRITICAL CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2.3
6.0
NIST

References for CVE-2017-14590

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!