Bamboo Data Center and Server update for xstream
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-7957 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Atlassian Bamboo Server applications / Other server solutions |
| Vendor | Atlassian |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Denial of service
EUVDB-ID: #VU8802
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-7957
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to XStream mishandles attempts to create an instance of the primitive type 'void' during unmarshalling when a certain denyTypes workaround is not used. A remote attacker can perform demonstrated by an xstream.fromXML("<void/>") call, trigger an unmarshalling error in XStream and cause the target service to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsAtlassian Bamboo: 9.2.1 - 9.2.7
CPE2.3 External linkshttps://jira.atlassian.com/browse/BAM-25613
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
