-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/PS9sO .


CVE ID:

* CVE-2018-5224.


Product: Bamboo.

Affected Bamboo product versions:

2.7.0 <= version < 6.3.3
6.4.0 <= version < 6.4.1


Fixed Bamboo product versions:

* for 6.3.x, Bamboo 6.3.3 has been released with a fix for this issue.
* for 6.4.x, Bamboo 6.4.1 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from
version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows
operating system are affected by this vulnerability.



Customers who have upgraded Bamboo to version 6.3.3 or 6.4.1 are not affected.

Customers who have downloaded and installed Bamboo >= 2.7.0 but less than 6.3.3
(the fixed version for 6.3.x) or who have downloaded and installed Bamboo >=
6.4.0 but less than 6.4.1 (the fixed version for 6.4.x) please upgrade your
Bamboo installations immediately to fix this vulnerability.



Argument injection through Mercurial repository uri handling on Windows
(CVE-2018-5224)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Bamboo did not correctly check if a configured Mercurial repository URI
contained values that the Windows operating system may consider argument
parameters. An attacker who has permission to create a repository in Bamboo,
edit an existing plan in Bamboo that has a non-linked Mercurial repository, or
create a plan in Bamboo either globally or in a project using Bamboo Specs can
execute code of their choice on systems that run a vulnerable version of Bamboo
on the Windows operating system.
Versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for
6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running
on the Windows operating system are affected by this vulnerability. This issue
can be tracked at: https://jira.atlassian.com/browse/BAM-19743 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Bamboo version 6.3.3
* Bamboo version 6.4.1

Remediation:

Upgrade Bamboo to version 6.4.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Bamboo 6.3.x and cannot upgrade to 6.4.1, upgrade to version
6.3.3.


For a full description of the latest version of Bamboo, see
the release notes found at
https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can
download the latest version of Bamboo from the download centre found at
https://www.atlassian.com/software/bamboo/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJaxYQwFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
Unag/K0P/0rDhyJHC2DaC4y+8GJKOjc+4FA3NNY0C1Fa3JhGouC936njlDxKW9nx
vwXL5oxla1RKOGrSZmjJ6gu/HawAw98ATNUm54VSeynUXbWvOhpQC7PJ8fhxQSV1
N4/r4bRirkEuk/hyZBKFfEElvFsCLGO4lmhLTP1luVXDV0lB8i4AAbZPx+1BC8hS
POy2wPvJ0H5H/inSN6HIq2FgE3z0lq5Ntb+moQnA/7zJH+5VyzYfSg+FeKYZTCVT
lGmho6JVD84f1bpj/CR0SByd5pfu+rZhZj/2afkkjuGdmDolMpE99+zImZj9vTPi
l85BZo1YKZkkUxHpErgAZKIevzInQH07pDPpeNMWVfI9w8mrE3TZj/cUHS/V87DE
K1oxyz8D4WtqsnsWmSOocmzzan6k7IK7+kFBHqyjSetMGtqfjmzQbXEotWyki9+f
g8A4bQKOXz8gPnUBUwJv86k5DBOkb7IsvXiJgEIuMzl4yq/qJmeCTGjOj2hNRg2w
nowAAD4YDUbhsC3W3lVU2UaJokQ0Qf5jRgcuJimqDUqR3jrkpzPTuVyXy8rVLHg6
+TpcSlXluRnrEfYNaB4UwSsKW5zPktouROeU1QPhhHkdPt/JmAY/FZKv7Ti95r9o
5fjvbX/zaWhVTxnId2joi7tDsjkLYLd/mI72ycA/pkIIRENlRY6L
=hdeb
-----END PGP SIGNATURE-----