Bamboo Security Advisory 2008-02-08 (Bamboo 2.0 Beta)

In this advisory:

Bamboo 2.0 Beta Security Considerations

Risk Assessment

The Bamboo 2.0 Beta does not include the security features that will be present in the final released product. Please note the following security implications when enabling Bamboo's remote agent functionality:

  • No encryption of data passed between server and agent — this includes data such as:
    • login credentials for version control repositories
    • build logs
    • build artifacts
  • No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:
    • Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.
    • Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.

We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is disabled by default.
These are limitations of the beta release only and will be addressed before the final released product.

Vulnerability

An unauthorised party could steal sensitive data passing between the Bamboo server and agents or run malicious code on your agents, as described in the 'Risk Assessment' section.

修正

These are limitations of the beta release only and will be addressed before the final released product.

最終更新日 2012 年 5 月 7 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.